Import upstream version 5.1.3

600 files changed, 14024 insertions, 8684 deletions

diff --git a/Android.common.mk b/Android.common.mk
index 14abca868..9f49831f0 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.1.2"
+strongswan_VERSION := "5.1.3"
 
diff --git a/Makefile.in b/Makefile.in
index a81e93f0f..71157179d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -401,7 +401,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/NEWS b/NEWS
index 0d22295d4..fd33fb08d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,25 @@
+strongswan-5.1.3
+----------------
+
+- Fixed an authentication bypass vulnerability triggered by rekeying an
+  unestablished IKEv2 SA while it gets actively initiated.  This allowed an
+  attacker to trick a peer's IKE_SA state to established, without the need to
+  provide any valid authentication credentials.  The vulnerability has been
+  registered as CVE-2014-2338.
+
+- The acert plugin evaluates X.509 Attribute Certificates. Group membership
+  information encoded as strings can be used to fulfill authorization checks
+  defined with the rightgroups option. Attribute Certificates can be loaded
+  locally or get exchanged in IKEv2 certificate payloads.
+
+- The pki command gained support to generate X.509 Attribute Certificates
+  using the --acert subcommand, while the --print command supports the ac type.
+  The openac utility has been removed in favor of the new pki functionality.
+
+- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
+  has been extended by AEAD mode support, currently limited to AES-GCM.
+
+
 strongswan-5.1.2
 ----------------
 
diff --git a/conf/Makefile.in b/conf/Makefile.in
index d92593219..e14c44e3e 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -346,7 +346,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/conf/format-options.py b/conf/format-options.py
index 04afed6d6..fc6e6e1fd 100755
--- a/conf/format-options.py
+++ b/conf/format-options.py
@@ -54,6 +54,7 @@ import sys
 import re
 from textwrap import TextWrapper
 from optparse import OptionParser
+from operator import attrgetter
 
 class ConfigOption:
 	"""Representing a configuration option or described section in strongswan.conf"""
@@ -67,9 +68,7 @@ class ConfigOption:
 		self.options = []
 
 	def __cmp__(self, other):
-		if self.section == other.section:
-			return  cmp(self.name, other.name)
-		return 1 if self.section else -1
+		return  cmp(self.name, other.name)
 
 	def add_paragraph(self):
 		"""Adds a new paragraph to the description"""
@@ -246,7 +245,7 @@ class ConfFormatter:
 		self.__print_description(section, indent)
 		print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name)
 		print
-		for o in section.options:
+		for o in sorted(section.options, key=attrgetter('section')):
 			if o.section:
 				self.__print_section(o, indent + 1, section.commented)
 			else:
@@ -258,7 +257,7 @@ class ConfFormatter:
 		"""Print a list of options"""
 		if not options:
 			return
-		for option in options:
+		for option in sorted(options, key=attrgetter('section')):
 			if option.section:
 				self.__print_section(option, 0, False)
 			else:
diff --git a/conf/options/tools.conf b/conf/options/tools.conf
index a3ab099ed..781635ceb 100644
--- a/conf/options/tools.conf
+++ b/conf/options/tools.conf
@@ -1,10 +1,3 @@
-openac {
-
-    # Plugins to load in ipsec openac tool.
-    # load =
-
-}
-
 pki {
 
     # Plugins to load in ipsec pki tool.
diff --git a/conf/options/tools.opt b/conf/options/tools.opt
index 23e6a1c9f..72a49de28 100644
--- a/conf/options/tools.opt
+++ b/conf/options/tools.opt
@@ -1,6 +1,3 @@
-openac.load =
-	Plugins to load in ipsec openac tool.
-
 pki.load =
 	Plugins to load in ipsec pki tool.
 
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
index 53023b81e..64db67456 100644
--- a/conf/plugins/eap-radius.conf
+++ b/conf/plugins/eap-radius.conf
@@ -3,6 +3,10 @@ eap-radius {
     # Send RADIUS accounting information to RADIUS servers.
     # accounting = no
 
+    # Close the IKE_SA if there is a timeout during interim RADIUS accounting
+    # updates.
+    # accounting_close_on_timeout = yes
+
     # If enabled, accounting is disabled unless an IKE_SA has at least one
     # virtual IP.
     # accounting_requires_vip = no
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index 0edd3458c..0df6a0d6f 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -1,6 +1,10 @@
 charon.plugins.eap-radius.accounting = no
 	Send RADIUS accounting information to RADIUS servers.
 
+charon.plugins.eap-radius.accounting_close_on_timeout = yes
+	Close the IKE_SA if there is a timeout during interim RADIUS accounting
+	updates.
+
 charon.plugins.eap-radius.accounting_requires_vip = no
 	If enabled, accounting is disabled unless an IKE_SA has at least one
 	virtual IP.
diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf
index ffb1b45a3..2d8deaa8e 100644
--- a/conf/plugins/imc-attestation.conf
+++ b/conf/plugins/imc-attestation.conf
@@ -13,6 +13,9 @@ imc-attestation {
     # priority of this plugin.
     load = yes
 
+    # Enforce mandatory Diffie-Hellman groups.
+    # mandatory_dh_groups = yes
+
     # DH nonce length.
     # nonce_len = 20
 
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index 9c108053b..aaac4c2c1 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -7,6 +7,9 @@ charon.plugins.imc-attestation.aik_cert =
 charon.plugins.imc-attestation.aik_key =
 	AIK public key file.
 
+charon.plugins.imc-attestation.mandatory_dh_groups = yes
+	Enforce mandatory Diffie-Hellman groups.
+
 charon.plugins.imc-attestation.nonce_len = 20
 	DH nonce length.
 
@@ -14,4 +17,4 @@ charon.plugins.imc-attestation.use_quote2 = yes
 	Use Quote2 AIK signature instead of Quote signature.
 
 charon.plugins.imc-attestation.pcr_info = yes
-	Whether to send pcr_before and pcr_after info.
\ No newline at end of file
+	Whether to send pcr_before and pcr_after info.
diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf
index 48ffba839..3a1a7f225 100644
--- a/conf/plugins/imv-attestation.conf
+++ b/conf/plugins/imv-attestation.conf
@@ -35,6 +35,9 @@ imv-attestation {
     # priority of this plugin.
     load = yes
 
+    # Enforce mandatory Diffie-Hellman groups.
+    # mandatory_dh_groups = yes
+
     # DH minimum nonce length.
     # min_nonce_len = 0
 
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index c0ae20488..f266281e6 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -1,6 +1,9 @@
 charon.plugins.imv-attestation.cadir =
 	Path to directory with AIK cacerts.
 
+charon.plugins.imv-attestation.mandatory_dh_groups = yes
+	Enforce mandatory Diffie-Hellman groups.
+
 charon.plugins.imv-attestation.dh_group = ecp256
 	Preferred Diffie-Hellman group.
 
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 282b8fa70..12fde4903 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -48,6 +48,37 @@ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
 Number of half\-open IKE_SAs that activate the cookie mechanism.
 
 .TP
+.BR charon.crypto_test.bench " [no]"
+Benchmark crypto algorithms and order them by efficiency.
+
+.TP
+.BR charon.crypto_test.bench_size " [1024]"
+Buffer size used for crypto benchmark.
+
+.TP
+.BR charon.crypto_test.bench_time " [50]"
+Number of iterations to test each algorithm.
+
+.TP
+.BR charon.crypto_test.on_add " [no]"
+Test crypto algorithms during registration (requires test vectors provided by
+the
+.RI "" "test\-vectors" ""
+plugin).
+
+.TP
+.BR charon.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation.
+
+.TP
+.BR charon.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm.
+
+.TP
+.BR charon.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+.TP
 .BR charon.dh_exponent_ansi_x9_42 " [yes]"
 Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 strength.
@@ -69,6 +100,47 @@ Enable Denial of Service protection using cookies and aggressiveness checks.
 Compliance with the errata for RFC 4753.
 
 .TP
+.B charon.filelog
+.br
+Section to define file loggers, see LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.B charon.filelog.<filename>
+.br
+<filename> is the full path to the log file.
+
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+Prefix each log entry with the connection name and a unique numerical identifier
+for each IKE_SA.
+
+.TP
+.BR charon.filelog.<filename>.time_format " []"
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.RB "" "strftime" "(3)."
+
+
+.TP
 .BR charon.flush_auth_cfg " [no]"
 If enabled objects used during authentication (certificates, identities etc.)
 are released to free memory once an IKE_SA is established. Enabling this might
@@ -92,6 +164,14 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 Enable hash and URL support.
 
 .TP
+.BR charon.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused).
+
+.TP
+.BR charon.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around.
+
+.TP
 .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
 If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared
 keys, which is discouraged due to security concerns (offline attacks on the
@@ -115,6 +195,34 @@ Number of exclusively locked segments in the hash table.
 Size of the IKE_SA hash table.
 
 .TP
+.B charon.imcv
+.br
+Defaults for options in this section can be configured in the
+.RI "" "libimcv" ""
+section.
+
+.TP
+.BR charon.imcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute.
+
+.TP
+.BR charon.imcv.database " []"
+Global IMV policy database URI. If it contains a password, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR charon.imcv.os_info.name " []"
+Manually set the name of the client OS (e.g. Ubuntu).
+
+.TP
+.BR charon.imcv.os_info.version " []"
+Manually set the version of the client OS (e.g. 12.04 i686).
+
+.TP
+.BR charon.imcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies.
+
+.TP
 .BR charon.inactivity_close_ike " [no]"
 Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
 
@@ -167,6 +275,18 @@ other interfaces are ignored.
 NAT keep alive interval.
 
 .TP
+.BR charon.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output.
+
+.TP
+.BR charon.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all).
+
+.TP
+.BR charon.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all).
+
+.TP
 .BR charon.load " []"
 Plugins to load in the IKE daemon charon.
 
@@ -198,225 +318,6 @@ WINS servers assigned to peer via configuration payload (CP).
 WINS servers assigned to peer via configuration payload (CP).
 
 .TP
-.BR charon.port " [500]"
-UDP port used locally. If set to 0 a random port will be allocated.
-
-.TP
-.BR charon.port_nat_t " [4500]"
-UDP port used locally in case of NAT\-T. If set to 0 a random port will be
-allocated.  Has to be different from
-.RB "" "charon.port" ","
-otherwise a random port
-will be allocated.
-
-.TP
-.BR charon.process_route " [yes]"
-Process RTM_NEWROUTE and RTM_DELROUTE events.
-
-.TP
-.BR charon.receive_delay " [0]"
-Delay in ms for receiving packets, to simulate larger RTT.
-
-.TP
-.BR charon.receive_delay_request " [yes]"
-Delay request messages.
-
-.TP
-.BR charon.receive_delay_response " [yes]"
-Delay response messages.
-
-.TP
-.BR charon.receive_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any.
-
-.TP
-.BR charon.replay_window " [32]"
-Size of the AH/ESP replay window, in packets.
-
-.TP
-.BR charon.retransmit_base " [1.8]"
-Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
-.RB "" "strongswan.conf" "(5)."
-
-
-.TP
-.BR charon.retransmit_timeout " [4.0]"
-Timeout in seconds before sending first retransmit.
-
-.TP
-.BR charon.retransmit_tries " [5]"
-Number of times to retransmit a packet before giving up.
-
-.TP
-.BR charon.retry_initiate_interval " [0]"
-Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
-failed), 0 to disable retries.
-
-.TP
-.BR charon.reuse_ikesa " [yes]"
-Initiate CHILD_SA within existing IKE_SAs.
-
-.TP
-.BR charon.routing_table " []"
-Numerical routing table to install routes to.
-
-.TP
-.BR charon.routing_table_prio " []"
-Priority of the routing table.
-
-.TP
-.BR charon.send_delay " [0]"
-Delay in ms for sending packets, to simulate larger RTT.
-
-.TP
-.BR charon.send_delay_request " [yes]"
-Delay request messages.
-
-.TP
-.BR charon.send_delay_response " [yes]"
-Delay response messages.
-
-.TP
-.BR charon.send_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any.
-
-.TP
-.BR charon.send_vendor_id " [no]"
-Send strongSwan vendor ID payload
-
-.TP
-.BR charon.threads " [16]"
-Number of worker threads in charon. Several of these are reserved for long
-running tasks in internal modules and plugins. Therefore, make sure you don't
-set this value too low. The number of idle worker threads listed in
-.RI "" "ipsec statusall" ""
-might be used as indicator on the number of reserved threads.
-
-.TP
-.BR charon.user " []"
-Name of the user the daemon changes to after startup.
-
-.TP
-.BR charon.crypto_test.bench " [no]"
-Benchmark crypto algorithms and order them by efficiency.
-
-.TP
-.BR charon.crypto_test.bench_size " [1024]"
-Buffer size used for crypto benchmark.
-
-.TP
-.BR charon.crypto_test.bench_time " [50]"
-Number of iterations to test each algorithm.
-
-.TP
-.BR charon.crypto_test.on_add " [no]"
-Test crypto algorithms during registration (requires test vectors provided by
-the
-.RI "" "test\-vectors" ""
-plugin).
-
-.TP
-.BR charon.crypto_test.on_create " [no]"
-Test crypto algorithms on each crypto primitive instantiation.
-
-.TP
-.BR charon.crypto_test.required " [no]"
-Strictly require at least one test vector to enable an algorithm.
-
-.TP
-.BR charon.crypto_test.rng_true " [no]"
-Whether to test RNG with TRUE quality; requires a lot of entropy.
-
-.TP
-.B charon.filelog
-.br
-Section to define file loggers, see LOGGER CONFIGURATION in
-.RB "" "strongswan.conf" "(5)."
-
-
-.TP
-.B charon.filelog.<filename>
-.br
-<filename> is the full path to the log file.
-
-.TP
-.BR charon.filelog.<filename>.<subsystem> " [<default>]"
-Loglevel for a specific subsystem.
-
-.TP
-.BR charon.filelog.<filename>.append " [yes]"
-If this option is enabled log entries are appended to the existing file.
-
-.TP
-.BR charon.filelog.<filename>.default " [1]"
-Specifies the default loglevel to be used for subsystems for which no specific
-loglevel is defined.
-
-.TP
-.BR charon.filelog.<filename>.flush_line " [no]"
-Enabling this option disables block buffering and enables line buffering.
-
-.TP
-.BR charon.filelog.<filename>.ike_name " [no]"
-Prefix each log entry with the connection name and a unique numerical identifier
-for each IKE_SA.
-
-.TP
-.BR charon.filelog.<filename>.time_format " []"
-Prefix each log entry with a timestamp. The option accepts a format string as
-passed to
-.RB "" "strftime" "(3)."
-
-
-.TP
-.BR charon.host_resolver.max_threads " [3]"
-Maximum number of concurrent resolver threads (they are terminated if unused).
-
-.TP
-.BR charon.host_resolver.min_threads " [0]"
-Minimum number of resolver threads to keep around.
-
-.TP
-.B charon.imcv
-.br
-Defaults for options in this section can be configured in the
-.RI "" "libimcv" ""
-section.
-
-.TP
-.BR charon.imcv.assessment_result " [yes]"
-Whether IMVs send a standard IETF Assessment Result attribute.
-
-.TP
-.BR charon.imcv.database " []"
-Global IMV policy database URI. If it contains a password, make sure to adjust
-the permissions of the config file accordingly.
-
-.TP
-.BR charon.imcv.policy_script " [ipsec _imv_policy]"
-Script called for each TNC connection to generate IMV policies.
-
-.TP
-.BR charon.imcv.os_info.name " []"
-Manually set the name of the client OS (e.g. Ubuntu).
-
-.TP
-.BR charon.imcv.os_info.version " []"
-Manually set the version of the client OS (e.g. 12.04 i686).
-
-.TP
-.BR charon.leak_detective.detailed " [yes]"
-Includes source file names and line numbers in leak detective output.
-
-.TP
-.BR charon.leak_detective.usage_threshold " [10240]"
-Threshold in bytes for leaks to be reported (0 to report all).
-
-.TP
-.BR charon.leak_detective.usage_threshold_count " [0]"
-Threshold in number of allocations for leaks to be reported (0 to report all).
-
-.TP
 .BR charon.plugins.android_log.loglevel " [1]"
 Loglevel for logging to Android specific logger.
 
@@ -588,6 +489,10 @@ Request peer authentication based on a client certificate.
 Send RADIUS accounting information to RADIUS servers.
 
 .TP
+.BR charon.plugins.eap-radius.accounting_close_on_timeout " [yes]"
+Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
+
+.TP
 .BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
 If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
 
@@ -608,6 +513,23 @@ Closes all IKE_SAs if communication with the RADIUS server times out. If it is
 not set only the current IKE_SA is closed.
 
 .TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176).
+
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server.
+
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests.
+
+.TP
+.BR charon.plugins.eap-radius.dae.secret " []"
+Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
+permissions of the config file accordingly.
+
+.TP
 .BR charon.plugins.eap-radius.eap_start " [no]"
 Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation.
 
@@ -627,6 +549,20 @@ option in
 
 
 .TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius " []"
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
+or attribute number, a colon can be used to specify vendor\-specific attributes,
+e.g. Reply\-Message, or 11, or 36906:12).
+
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike " []"
+Same as
+.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+
+.TP
 .BR charon.plugins.eap-radius.id_prefix " []"
 Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP
 method.
@@ -649,41 +585,6 @@ permissions of the config file accordingly.
 IP/Hostname of RADIUS server.
 
 .TP
-.BR charon.plugins.eap-radius.sockets " [1]"
-Number of sockets (ports) to use, increase for high load.
-
-.TP
-.BR charon.plugins.eap-radius.dae.enable " [no]"
-Enables support for the Dynamic Authorization Extension (RFC 5176).
-
-.TP
-.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
-Address to listen for DAE messages from the RADIUS server.
-
-.TP
-.BR charon.plugins.eap-radius.dae.port " [3799]"
-Port to listen for DAE requests.
-
-.TP
-.BR charon.plugins.eap-radius.dae.secret " []"
-Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
-permissions of the config file accordingly.
-
-.TP
-.BR charon.plugins.eap-radius.forward.ike_to_radius " []"
-RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
-or attribute number, a colon can be used to specify vendor\-specific attributes,
-e.g. Reply\-Message, or 11, or 36906:12).
-
-.TP
-.BR charon.plugins.eap-radius.forward.radius_to_ike " []"
-Same as
-.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
-but from RADIUS to
-IKEv2, a strongSwan specific private notify (40969) is used to transmit the
-attributes.
-
-.TP
 .B charon.plugins.eap-radius.servers
 .br
 Section to specify multiple RADIUS servers. The
@@ -706,6 +607,10 @@ accounting. For each RADIUS server a priority can be specified using the
 [0] option.
 
 .TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load.
+
+.TP
 .B charon.plugins.eap-radius.xauth
 .br
 Section to configure multiple XAuth authentication rounds via RADIUS. The
@@ -842,6 +747,10 @@ AIK certificate file.
 AIK public key file.
 
 .TP
+.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
 .BR charon.plugins.imc-attestation.nonce_len " [20]"
 DH nonce length.
 
@@ -922,6 +831,10 @@ Preferred Diffie\-Hellman group.
 Preferred measurement hash algorithm.
 
 .TP
+.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
 .BR charon.plugins.imv-attestation.min_nonce_len " [0]"
 DH minimum nonce length.
 
@@ -992,6 +905,12 @@ Section to configure the load\-tester plugin, see LOAD TESTS in
 for details.
 
 .TP
+.B charon.plugins.load-tester.addrs
+.br
+Section that contains key/value pairs with address pools (in CIDR notation) to
+use for a specific network interface e.g. eth0 = 10.10.0.0/16.
+
+.TP
 .BR charon.plugins.load-tester.addrs_keep " [no]"
 Whether to keep dynamic addresses even after the associated SA got terminated.
 
@@ -1157,12 +1076,6 @@ IKE version to use (0 means use IKEv2 as initiator and accept any version as
 responder).
 
 .TP
-.B charon.plugins.load-tester.addrs
-.br
-Section that contains key/value pairs with address pools (in CIDR notation) to
-use for a specific network interface e.g. eth0 = 10.10.0.0/16.
-
-.TP
 .BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
 Socket provided by the lookip plugin.
 
@@ -1195,6 +1108,11 @@ Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
 Whether to load certificates from tokens.
 
 .TP
+.B charon.plugins.pkcs11.modules
+.br
+List of available PKCS#11 modules.
+
+.TP
 .BR charon.plugins.pkcs11.reload_certs " [no]"
 Reload certificates from all tokens if charon receives a SIGHUP.
 
@@ -1223,11 +1141,6 @@ keys not stored on tokens.
 Whether the PKCS#11 modules should be used as RNG.
 
 .TP
-.B charon.plugins.pkcs11.modules
-.br
-List of available PKCS#11 modules.
-
-.TP
 .BR charon.plugins.radattr.dir " []"
 Directory where RADIUS attributes are stored in client\-ID specific files.
 
@@ -1378,14 +1291,6 @@ or
 
 
 .TP
-.BR charon.plugins.tnc-pdp.server " []"
-Name of the strongSwan PDP as contained in the AAA certificate.
-
-.TP
-.BR charon.plugins.tnc-pdp.timeout " []"
-Timeout in seconds before closing incomplete connections.
-
-.TP
 .BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
 Enable PT\-TLS protocol on the strongSwan PDP.
 
@@ -1411,6 +1316,14 @@ Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust
 the permissions of the config file accordingly.
 
 .TP
+.BR charon.plugins.tnc-pdp.server " []"
+Name of the strongSwan PDP as contained in the AAA certificate.
+
+.TP
+.BR charon.plugins.tnc-pdp.timeout " []"
+Timeout in seconds before closing incomplete connections.
+
+.TP
 .BR charon.plugins.tnccs-11.max_message_size " [45000]"
 Maximum size of a PA\-TNC message (XML & Base64 encoding).
 
@@ -1472,6 +1385,22 @@ If an email address is received as an XAuth username, trim it to just the
 username part.
 
 .TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT\-T. If set to 0 a random port will be
+allocated.  Has to be different from
+.RB "" "charon.port" ","
+otherwise a random port
+will be allocated.
+
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+.TP
 .B charon.processor.priority_threads
 .br
 Section to configure the number of reserved threads per priority class see JOB
@@ -1480,6 +1409,77 @@ PRIORITY MANAGEMENT in
 
 
 .TP
+.BR charon.receive_delay " [0]"
+Delay in ms for receiving packets, to simulate larger RTT.
+
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.retransmit_timeout " [4.0]"
+Timeout in seconds before sending first retransmit.
+
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up.
+
+.TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+
+.TP
+.BR charon.reuse_ikesa " [yes]"
+Initiate CHILD_SA within existing IKE_SAs.
+
+.TP
+.BR charon.routing_table " []"
+Numerical routing table to install routes to.
+
+.TP
+.BR charon.routing_table_prio " []"
+Priority of the routing table.
+
+.TP
+.BR charon.send_delay " [0]"
+Delay in ms for sending packets, to simulate larger RTT.
+
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.send_vendor_id " [no]"
+Send strongSwan vendor ID payload
+
+.TP
 .B charon.syslog
 .br
 Section to define syslog loggers, see LOGGER CONFIGURATION in
@@ -1487,16 +1487,6 @@ Section to define syslog loggers, see LOGGER CONFIGURATION in
 
 
 .TP
-.BR charon.syslog.identifier " []"
-Global identifier used for an
-.RB "" "openlog" "(3)"
-call, prepended to each log message
-by syslog.  If not configured,
-.RB "" "openlog" "(3)"
-is not called, so the value will
-depend on system defaults (often the program name).
-
-.TP
 .B charon.syslog.<facility>
 .br
 <facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION
@@ -1519,6 +1509,24 @@ Prefix each log entry with the connection name and a unique numerical identifier
 for each IKE_SA.
 
 .TP
+.BR charon.syslog.identifier " []"
+Global identifier used for an
+.RB "" "openlog" "(3)"
+call, prepended to each log message
+by syslog.  If not configured,
+.RB "" "openlog" "(3)"
+is not called, so the value will
+depend on system defaults (often the program name).
+
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon. Several of these are reserved for long
+running tasks in internal modules and plugins. Therefore, make sure you don't
+set this value too low. The number of idle worker threads listed in
+.RI "" "ipsec statusall" ""
+might be used as indicator on the number of reserved threads.
+
+.TP
 .BR charon.tls.cipher " []"
 List of TLS encryption ciphers.
 
@@ -1539,6 +1547,10 @@ List of TLS cipher suites.
 TNC IMC/IMV configuration file.
 
 .TP
+.BR charon.user " []"
+Name of the user the daemon changes to after startup.
+
+.TP
 .BR charon.x509.enforce_critical " [yes]"
 Discard certificates with unsupported or unknown critical extensions.
 
@@ -1623,10 +1635,6 @@ Number of thread for mediation service web application.
 Session timeout for mediation service.
 
 .TP
-.BR openac.load " []"
-Plugins to load in ipsec openac tool.
-
-.TP
 .BR pacman.database " []"
 Database URI for the database that stores the package information. If it
 contains a password, make sure to adjust the permissions of the config file
diff --git a/configure b/configure
index 652a5d06f..6c4e4c925 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.1.2.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.1.3.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.1.2'
-PACKAGE_STRING='strongSwan 5.1.2'
+PACKAGE_VERSION='5.1.3'
+PACKAGE_STRING='strongSwan 5.1.3'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -921,6 +921,8 @@ USE_PKCS1_FALSE
 USE_PKCS1_TRUE
 USE_PUBKEY_FALSE
 USE_PUBKEY_TRUE
+USE_ACERT_FALSE
+USE_ACERT_TRUE
 USE_CONSTRAINTS_FALSE
 USE_CONSTRAINTS_TRUE
 USE_REVOCATION_FALSE
@@ -974,7 +976,6 @@ manager_plugins
 scripts_plugins
 pki_plugins
 scepclient_plugins
-openac_plugins
 attest_plugins
 pool_plugins
 starter_plugins
@@ -1196,58 +1197,58 @@ with_tss
 with_capabilities
 with_mpz_powm_sec
 with_dev_headers
+with_printf_hooks
 with_systemdsystemunitdir
 with_user
 with_group
 with_charon_udp_port
 with_charon_natt_port
-enable_curl
-enable_unbound
-enable_soup
-enable_ldap
 enable_aes
-enable_des
+enable_af_alg
 enable_blowfish
-enable_rc2
+enable_ccm
+enable_cmac
+enable_ctr
+enable_des
+enable_fips_prf
+enable_gcm
+enable_gcrypt
+enable_gmp
+enable_hmac
 enable_md4
 enable_md5
+enable_nonce
+enable_ntru
+enable_openssl
+enable_padlock
+enable_random
+enable_rc2
+enable_rdrand
 enable_sha1
 enable_sha2
-enable_fips_prf
-enable_gmp
-enable_rdrand
-enable_random
-enable_nonce
-enable_x509
-enable_revocation
-enable_constraints
-enable_pubkey
+enable_xcbc
+enable_dnskey
+enable_pem
+enable_pgp
 enable_pkcs1
 enable_pkcs7
 enable_pkcs8
 enable_pkcs12
-enable_pgp
-enable_dnskey
+enable_pubkey
 enable_sshkey
-enable_dnscert
-enable_ipseckey
-enable_pem
-enable_hmac
-enable_cmac
-enable_xcbc
-enable_af_alg
-enable_test_vectors
+enable_x509
+enable_curl
+enable_ldap
+enable_soup
+enable_unbound
 enable_mysql
 enable_sqlite
-enable_stroke
-enable_medsrv
-enable_medcli
-enable_smp
-enable_sql
-enable_leak_detective
-enable_lock_profiler
-enable_unit_tester
-enable_load_tester
+enable_addrblock
+enable_acert
+enable_agent
+enable_constraints
+enable_coupling
+enable_dnscert
 enable_eap_sim
 enable_eap_sim_file
 enable_eap_sim_pcsc
@@ -1266,89 +1267,91 @@ enable_eap_peap
 enable_eap_tnc
 enable_eap_dynamic
 enable_eap_radius
+enable_ipseckey
+enable_keychain
+enable_pkcs11
+enable_revocation
+enable_whitelist
 enable_xauth_generic
 enable_xauth_eap
 enable_xauth_pam
 enable_xauth_noauth
-enable_tnc_ifmap
-enable_tnc_pdp
-enable_tnc_imc
-enable_tnc_imv
-enable_tnccs_11
-enable_tnccs_20
-enable_tnccs_dynamic
-enable_imc_test
-enable_imv_test
-enable_imc_scanner
-enable_imv_scanner
-enable_imc_os
-enable_imv_os
-enable_imc_attestation
-enable_imv_attestation
-enable_imc_swid
-enable_imv_swid
 enable_kernel_netlink
 enable_kernel_pfkey
 enable_kernel_pfroute
 enable_kernel_klips
 enable_kernel_libipsec
-enable_libipsec
 enable_socket_default
 enable_socket_dynamic
-enable_farp
-enable_dumm
-enable_fast
-enable_manager
-enable_mediation
-enable_integrity_test
-enable_load_warning
-enable_ikev1
-enable_ikev2
-enable_charon
-enable_tools
-enable_scripts
-enable_conftest
-enable_updown
+enable_stroke
+enable_smp
+enable_sql
+enable_uci
+enable_android_dns
 enable_attr
 enable_attr_sql
 enable_dhcp
+enable_osx_attr
 enable_resolve
-enable_padlock
-enable_openssl
-enable_gcrypt
-enable_agent
-enable_keychain
-enable_pkcs11
-enable_ctr
-enable_ccm
-enable_gcm
-enable_ntru
-enable_addrblock
 enable_unity
-enable_uci
-enable_osx_attr
-enable_android_dns
+enable_imc_test
+enable_imv_test
+enable_imc_scanner
+enable_imv_scanner
+enable_imc_os
+enable_imv_os
+enable_imc_attestation
+enable_imv_attestation
+enable_imc_swid
+enable_imv_swid
+enable_tnc_ifmap
+enable_tnc_imc
+enable_tnc_imv
+enable_tnc_pdp
+enable_tnccs_11
+enable_tnccs_20
+enable_tnccs_dynamic
 enable_android_log
-enable_maemo
-enable_nm
-enable_ha
-enable_whitelist
-enable_lookip
-enable_error_notify
 enable_certexpire
-enable_systime_fix
-enable_led
 enable_duplicheck
-enable_coupling
+enable_error_notify
+enable_farp
+enable_ha
+enable_led
+enable_load_tester
+enable_lookip
+enable_maemo
 enable_radattr
-enable_vstr
-enable_monolithic
+enable_systime_fix
+enable_test_vectors
+enable_unit_tester
+enable_updown
+enable_charon
+enable_cmd
+enable_conftest
+enable_dumm
+enable_fast
+enable_libipsec
+enable_manager
+enable_medcli
+enable_medsrv
+enable_nm
+enable_scripts
+enable_tkm
+enable_tools
 enable_bfd_backtraces
+enable_ikev1
+enable_ikev2
+enable_integrity_test
+enable_load_warning
+enable_mediation
 enable_unwind_backtraces
 enable_coverage
-enable_tkm
-enable_cmd
+enable_leak_detective
+enable_lock_profiler
+enable_monolithic
 enable_defaults
+enable_all
 enable_dependency_tracking
 with_lib_prefix
 enable_shared
@@ -1926,7 +1929,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.1.2 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.1.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1996,7 +1999,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.1.2:";;
+     short | recursive ) echo "Configuration of strongSwan 5.1.3:";;
    esac
   cat <<\_ACEOF
 
@@ -2006,64 +2009,61 @@ Optional Features:
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-silent-rules   less verbose build output (undo: "make V=1")
   --disable-silent-rules  verbose build output (undo: "make V=0")
-  --enable-curl           enable CURL fetcher plugin to fetch files via
-                          libcurl. Requires libcurl.
-  --enable-unbound        enable UNBOUND resolver plugin to perform DNS
-                          queries via libunbound. Requires libldns and
-                          libunbound.
-  --enable-soup           enable soup fetcher plugin to fetch from HTTP via
-                          libsoup. Requires libsoup.
-  --enable-ldap           enable LDAP fetching plugin to fetch files via
-                          libldap. Requires openLDAP.
   --disable-aes           disable AES software implementation plugin.
-  --disable-des           disable DES/3DES software implementation plugin.
+  --enable-af-alg         enable AF_ALG crypto interface to Linux Crypto API.
   --enable-blowfish       enable Blowfish software implementation plugin.
-  --disable-rc2           disable RC2 software implementation plugin.
+  --enable-ccm            enables the CCM AEAD wrapper crypto plugin.
+  --disable-cmac          disable CMAC crypto implementation plugin.
+  --enable-ctr            enables the Counter Mode wrapper crypto plugin.
+  --disable-des           disable DES/3DES software implementation plugin.
+  --disable-fips-prf      disable FIPS PRF software implementation plugin.
+  --enable-gcm            enables the GCM AEAD wrapper crypto plugin.
+  --enable-gcrypt         enables the libgcrypt plugin.
+  --disable-gmp           disable GNU MP (libgmp) based crypto implementation
+                          plugin.
+  --disable-hmac          disable HMAC crypto implementation plugin.
   --enable-md4            enable MD4 software implementation plugin.
   --disable-md5           disable MD5 software implementation plugin.
+  --disable-nonce         disable nonce generation plugin.
+  --enable-ntru           enables the NTRU crypto plugin.
+  --enable-openssl        enables the OpenSSL crypto plugin.
+  --enable-padlock        enables VIA Padlock crypto plugin.
+  --disable-random        disable RNG implementation on top of /dev/(u)random.
+  --disable-rc2           disable RC2 software implementation plugin.
+  --enable-rdrand         enable Intel RDRAND random generator plugin.
   --disable-sha1          disable SHA1 software implementation plugin.
   --disable-sha2          disable SHA256/SHA384/SHA512 software implementation
                           plugin.
-  --disable-fips-prf      disable FIPS PRF software implementation plugin.
-  --disable-gmp           disable GNU MP (libgmp) based crypto implementation
-                          plugin.
-  --enable-rdrand         enable Intel RDRAND random generator plugin.
-  --disable-random        disable RNG implementation on top of /dev/(u)random.
-  --disable-nonce         disable nonce generation plugin.
-  --disable-x509          disable X509 certificate implementation plugin.
-  --disable-revocation    disable X509 CRL/OCSP revocation check plugin.
-  --disable-constraints   disable advanced X509 constraint checking plugin.
-  --disable-pubkey        disable RAW public key support plugin.
+  --disable-xcbc          disable xcbc crypto implementation plugin.
+  --disable-dnskey        disable DNS RR key decoding plugin.
+  --disable-pem           disable PEM decoding plugin.
+  --disable-pgp           disable PGP key decoding plugin.
   --disable-pkcs1         disable PKCS1 key decoding plugin.
   --disable-pkcs7         disable PKCS7 container support plugin.
   --disable-pkcs8         disable PKCS8 private key decoding plugin.
   --disable-pkcs12        disable PKCS12 container support plugin.
-  --disable-pgp           disable PGP key decoding plugin.
-  --disable-dnskey        disable DNS RR key decoding plugin.
+  --disable-pubkey        disable RAW public key support plugin.
   --disable-sshkey        disable SSH key decoding plugin.
-  --enable-dnscert        enable DNSCERT authentication plugin.
-  --enable-ipseckey       enable IPSECKEY authentication plugin.
-  --disable-pem           disable PEM decoding plugin.
-  --disable-hmac          disable HMAC crypto implementation plugin.
-  --disable-cmac          disable CMAC crypto implementation plugin.
-  --disable-xcbc          disable xcbc crypto implementation plugin.
-  --enable-af-alg         enable AF_ALG crypto interface to Linux Crypto API.
-  --enable-test-vectors   enable plugin providing crypto test vectors.
+  --disable-x509          disable X509 certificate implementation plugin.
+  --enable-curl           enable CURL fetcher plugin to fetch files via
+                          libcurl. Requires libcurl.
+  --enable-ldap           enable LDAP fetching plugin to fetch files via
+                          libldap. Requires openLDAP.
+  --enable-soup           enable soup fetcher plugin to fetch from HTTP via
+                          libsoup. Requires libsoup.
+  --enable-unbound        enable UNBOUND resolver plugin to perform DNS
+                          queries via libunbound. Requires libldns and
+                          libunbound.
   --enable-mysql          enable MySQL database support. Requires
                           libmysqlclient_r.
   --enable-sqlite         enable SQLite database support. Requires libsqlite3.
-  --disable-stroke        disable charons stroke configuration backend.
-  --enable-medsrv         enable mediation server web frontend and daemon
-                          plugin.
-  --enable-medcli         enable mediation client configuration database
-                          plugin.
-  --enable-smp            enable SMP configuration and control interface.
-                          Requires libxml.
-  --enable-sql            enable SQL database configuration backend.
-  --enable-leak-detective enable malloc hooks to find memory leaks.
-  --enable-lock-profiler  enable lock/mutex profiling code.
-  --enable-unit-tester    enable unit tests on IKEv2 daemon startup.
-  --enable-load-tester    enable load testing plugin for IKEv2 daemon.
+  --enable-addrblock      enables RFC 3779 address block constraint support.
+  --enable-acert          enable X509 attribute certificate checking plugin.
+  --enable-agent          enables the ssh-agent signing plugin.
+  --disable-constraints   disable advanced X509 constraint checking plugin.
+  --enable-coupling       enable IKEv2 plugin to couple peer certificates
+                          permanently to authentication.
+  --enable-dnscert        enable DNSCERT authentication plugin.
   --enable-eap-sim        enable SIM authentication module for EAP.
   --enable-eap-sim-file   enable EAP-SIM backend based on a triplet file.
   --enable-eap-sim-pcsc   enable EAP-SIM backend based on a smartcard reader.
@@ -2088,31 +2088,17 @@ Optional Features:
   --enable-eap-tnc        enable EAP TNC trusted network connect module.
   --enable-eap-dynamic    enable dynamic EAP proxy module.
   --enable-eap-radius     enable RADIUS proxy authentication module.
+  --enable-ipseckey       enable IPSECKEY authentication plugin.
+  --enable-keychain       enables OS X Keychain Services credential set.
+  --enable-pkcs11         enables the PKCS11 token support plugin.
+  --disable-revocation    disable X509 CRL/OCSP revocation check plugin.
+  --enable-whitelist      enable peer identity whitelisting plugin.
   --disable-xauth-generic disable generic XAuth backend.
   --enable-xauth-eap      enable XAuth backend using EAP methods to verify
                           passwords.
   --enable-xauth-pam      enable XAuth backend using PAM to verify passwords.
   --enable-xauth-noauth   enable XAuth pseudo-backend that does not actually
                           verify or even request any credentials.
-  --enable-tnc-ifmap      enable TNC IF-MAP module. Requires libxml
-  --enable-tnc-pdp        enable TNC policy decision point module.
-  --enable-tnc-imc        enable TNC IMC module.
-  --enable-tnc-imv        enable TNC IMV module.
-  --enable-tnccs-11       enable TNCCS 1.1 protocol module. Requires libxml
-  --enable-tnccs-20       enable TNCCS 2.0 protocol module.
-  --enable-tnccs-dynamic  enable dynamic TNCCS protocol discovery module.
-  --enable-imc-test       enable IMC test module.
-  --enable-imv-test       enable IMV test module.
-  --enable-imc-scanner    enable IMC port scanner module.
-  --enable-imv-scanner    enable IMV port scanner module.
-  --enable-imc-os         enable IMC operating system module.
-  --enable-imv-os         enable IMV operating system module.
-  --enable-imc-attestation
-                          enable IMC attestation module.
-  --enable-imv-attestation
-                          enable IMV attestation module.
-  --enable-imc-swid       enable IMC swid module.
-  --enable-imv-swid       enable IMV swid module.
   --disable-kernel-netlink
                           disable the netlink kernel interface.
   --enable-kernel-pfkey   enable the PF_KEY kernel interface.
@@ -2120,85 +2106,103 @@ Optional Features:
   --enable-kernel-klips   enable the KLIPS kernel interface.
   --enable-kernel-libipsec
                           enable the libipsec kernel interface.
-  --enable-libipsec       enable user space IPsec implementation.
   --disable-socket-default
                           disable default socket implementation for charon.
   --enable-socket-dynamic enable dynamic socket implementation for charon
-  --enable-farp           enable ARP faking plugin that responds to ARP
-                          requests to peers virtual IP
-  --enable-dumm           enable the DUMM UML test framework.
-  --enable-fast           enable libfast (FastCGI Application Server w/
-                          templates.
-  --enable-manager        enable web management console (proof of concept).
-  --enable-mediation      enable IKEv2 Mediation Extension.
-  --enable-integrity-test enable integrity testing of libstrongswan and
-                          plugins.
-  --disable-load-warning  disable the charon plugin load option warning in
-                          starter.
-  --disable-ikev1         disable IKEv1 protocol support in charon.
-  --disable-ikev2         disable IKEv2 protocol support in charon.
-  --disable-charon        disable the IKEv1/IKEv2 keying daemon charon.
-  --disable-tools         disable additional utilities (openac, scepclient and
-                          pki).
-  --disable-scripts       disable additional utilities (found in directory
-                          scripts).
-  --enable-conftest       enforce Suite B conformance test framework.
-  --disable-updown        disable updown firewall script plugin.
+  --disable-stroke        disable charons stroke configuration backend.
+  --enable-smp            enable SMP configuration and control interface.
+                          Requires libxml.
+  --enable-sql            enable SQL database configuration backend.
+  --enable-uci            enable OpenWRT UCI configuration plugin.
+  --enable-android-dns    enable Android specific DNS handler.
   --disable-attr          disable strongswan.conf based configuration
                           attribute plugin.
   --enable-attr-sql       enable SQL based configuration attribute plugin.
   --enable-dhcp           enable DHCP based attribute provider plugin.
+  --enable-osx-attr       enable OS X SystemConfiguration attribute handler.
   --disable-resolve       disable resolve DNS handler plugin.
-  --enable-padlock        enables VIA Padlock crypto plugin.
-  --enable-openssl        enables the OpenSSL crypto plugin.
-  --enable-gcrypt         enables the libgcrypt plugin.
-  --enable-agent          enables the ssh-agent signing plugin.
-  --enable-keychain       enables OS X Keychain Services credential set.
-  --enable-pkcs11         enables the PKCS11 token support plugin.
-  --enable-ctr            enables the Counter Mode wrapper crypto plugin.
-  --enable-ccm            enables the CCM AEAD wrapper crypto plugin.
-  --enable-gcm            enables the GCM AEAD wrapper crypto plugin.
-  --enable-ntru           enables the NTRU crypto plugin.
-  --enable-addrblock      enables RFC 3779 address block constraint support.
   --enable-unity          enables Cisco Unity extension plugin.
-  --enable-uci            enable OpenWRT UCI configuration plugin.
-  --enable-osx-attr       enable OS X SystemConfiguration attribute handler.
-  --enable-android-dns    enable Android specific DNS handler.
+  --enable-imc-test       enable IMC test module.
+  --enable-imv-test       enable IMV test module.
+  --enable-imc-scanner    enable IMC port scanner module.
+  --enable-imv-scanner    enable IMV port scanner module.
+  --enable-imc-os         enable IMC operating system module.
+  --enable-imv-os         enable IMV operating system module.
+  --enable-imc-attestation
+                          enable IMC attestation module.
+  --enable-imv-attestation
+                          enable IMV attestation module.
+  --enable-imc-swid       enable IMC swid module.
+  --enable-imv-swid       enable IMV swid module.
+  --enable-tnc-ifmap      enable TNC IF-MAP module. Requires libxml
+  --enable-tnc-imc        enable TNC IMC module.
+  --enable-tnc-imv        enable TNC IMV module.
+  --enable-tnc-pdp        enable TNC policy decision point module.
+  --enable-tnccs-11       enable TNCCS 1.1 protocol module. Requires libxml
+  --enable-tnccs-20       enable TNCCS 2.0 protocol module.
+  --enable-tnccs-dynamic  enable dynamic TNCCS protocol discovery module.
   --enable-android-log    enable Android specific logger plugin.
-  --enable-maemo          enable Maemo specific plugin.
-  --enable-nm             enable NetworkManager backend.
-  --enable-ha             enable high availability cluster plugin.
-  --enable-whitelist      enable peer identity whitelisting plugin.
-  --enable-lookip         enable fast virtual IP lookup and notification
-                          plugin.
-  --enable-error-notify   enable error notification plugin.
   --enable-certexpire     enable CSV export of expiration dates of used
                           certificates.
-  --enable-systime-fix    enable plugin to handle cert lifetimes with invalid
-                          system time gracefully.
-  --enable-led            enable plugin to control LEDs on IKEv2 activity
-                          using the Linux kernel LED subsystem.
   --enable-duplicheck     advanced duplicate checking plugin using liveness
                           checks.
-  --enable-coupling       enable IKEv2 plugin to couple peer certificates
-                          permanently to authentication.
+  --enable-error-notify   enable error notification plugin.
+  --enable-farp           enable ARP faking plugin that responds to ARP
+                          requests to peers virtual IP
+  --enable-ha             enable high availability cluster plugin.
+  --enable-led            enable plugin to control LEDs on IKEv2 activity
+                          using the Linux kernel LED subsystem.
+  --enable-load-tester    enable load testing plugin for IKEv2 daemon.
+  --enable-lookip         enable fast virtual IP lookup and notification
+                          plugin.
+  --enable-maemo          enable Maemo specific plugin.
   --enable-radattr        enable plugin to inject and process custom RADIUS
                           attributes as IKEv2 client.
-  --enable-vstr           enforce using the Vstr string library to replace
-                          glibc-like printf hooks.
-  --enable-monolithic     build monolithic version of libstrongswan that
-                          includes all enabled plugins. Similarly, the plugins
-                          of charon are assembled in libcharon.
+  --enable-systime-fix    enable plugin to handle cert lifetimes with invalid
+                          system time gracefully.
+  --enable-test-vectors   enable plugin providing crypto test vectors.
+  --enable-unit-tester    enable unit tests on IKEv2 daemon startup.
+  --disable-updown        disable updown firewall script plugin.
+  --disable-charon        disable the IKEv1/IKEv2 keying daemon charon.
+  --enable-cmd            enable the command line IKE client charon-cmd.
+  --enable-conftest       enforce Suite B conformance test framework.
+  --enable-dumm           enable the DUMM UML test framework.
+  --enable-fast           enable libfast (FastCGI Application Server w/
+                          templates.
+  --enable-libipsec       enable user space IPsec implementation.
+  --enable-manager        enable web management console (proof of concept).
+  --enable-medcli         enable mediation client configuration database
+                          plugin.
+  --enable-medsrv         enable mediation server web frontend and daemon
+                          plugin.
+  --enable-nm             enable NetworkManager backend.
+  --disable-scripts       disable additional utilities (found in directory
+                          scripts).
+  --enable-tkm            enable Trusted Key Manager support.
+  --disable-tools         disable additional utilities (scepclient and pki).
   --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory
                           leaks and segfaults.
+  --disable-ikev1         disable IKEv1 protocol support in charon.
+  --disable-ikev2         disable IKEv2 protocol support in charon.
+  --enable-integrity-test enable integrity testing of libstrongswan and
+                          plugins.
+  --disable-load-warning  disable the charon plugin load option warning in
+                          starter.
+  --enable-mediation      enable IKEv2 Mediation Extension.
   --enable-unwind-backtraces
                           use libunwind to create backtraces for memory leaks
                           and segfaults.
   --enable-coverage       enable lcov coverage report generation.
-  --enable-tkm            enable Trusted Key Manager support.
-  --enable-cmd            enable the command line IKE client charon-cmd.
+  --enable-leak-detective enable malloc hooks to find memory leaks.
+  --enable-lock-profiler  enable lock/mutex profiling code.
+  --enable-monolithic     build monolithic version of libstrongswan that
+                          includes all enabled plugins. Similarly, the plugins
+                          of charon are assembled in libcharon.
   --disable-defaults      disable all default plugins (they can be enabled
                           with their respective --enable options)
+  --enable-all            enable all plugins and features (they can be
+                          disabled with their respective --disable options).
+                          Mainly for testing.
   --enable-dependency-tracking
                           do not reject slow dependency extractors
   --disable-dependency-tracking
@@ -2257,6 +2261,9 @@ Optional Packages:
                           libgmp, if available (default: yes).
   --with-dev-headers=arg  install strongSwan development headers to directory.
                           (default: no).
+  --with-printf-hooks=arg force the use of a specific printf hook
+                          implementation (auto, builtin, glibc, vstr).
+                          (default: auto).
   --with-systemdsystemunitdir=arg
                           directory for systemd service files (default:
                           $systemdsystemunitdir_default).
@@ -2382,7 +2389,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.1.2
+strongSwan configure 5.1.3
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2904,7 +2911,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.1.2, which was
+It was created by strongSwan $as_me 5.1.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3767,7 +3774,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.1.2'
+ VERSION='5.1.3'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4426,6 +4433,16 @@ fi
 
 
 
+# Check whether --with-printf-hooks was given.
+if test "${with_printf_hooks+set}" = set; then :
+  withval=$with_printf_hooks; printf_hooks="$withval"
+else
+  printf_hooks=auto
+
+fi
+
+
+
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
 fi
@@ -4534,6 +4551,7 @@ ipsec_script_upper=`echo -n "$ipsec_script" | tr a-z A-Z`
 # ARG_ENABL_SET(option, help)
 # ---------------------------
 # Create a --enable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $disabled_by_default
 
 
 # ARG_DISBL_SET(option, help)
@@ -4543,81 +4561,102 @@ ipsec_script_upper=`echo -n "$ipsec_script" | tr a-z A-Z`
 
 
 
-# Check whether --enable-curl was given.
-if test "${enable_curl+set}" = set; then :
-  enableval=$enable_curl; curl_given=true
+# crypto plugins
+# Check whether --enable-aes was given.
+if test "${enable_aes+set}" = set; then :
+  enableval=$enable_aes; aes_given=true
 		if test x$enableval = xyes; then
-			curl=true
+			aes=true
 		 else
-			curl=false
+			aes=false
 		fi
 else
-  curl=false
-		curl_given=false
+  aes=true
+		aes_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" aes"
 
-# Check whether --enable-unbound was given.
-if test "${enable_unbound+set}" = set; then :
-  enableval=$enable_unbound; unbound_given=true
+# Check whether --enable-af-alg was given.
+if test "${enable_af_alg+set}" = set; then :
+  enableval=$enable_af_alg; af_alg_given=true
 		if test x$enableval = xyes; then
-			unbound=true
+			af_alg=true
 		 else
-			unbound=false
+			af_alg=false
 		fi
 else
-  unbound=false
-		unbound_given=false
+  af_alg=false
+		af_alg_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" af_alg"
 
-# Check whether --enable-soup was given.
-if test "${enable_soup+set}" = set; then :
-  enableval=$enable_soup; soup_given=true
+# Check whether --enable-blowfish was given.
+if test "${enable_blowfish+set}" = set; then :
+  enableval=$enable_blowfish; blowfish_given=true
 		if test x$enableval = xyes; then
-			soup=true
+			blowfish=true
 		 else
-			soup=false
+			blowfish=false
 		fi
 else
-  soup=false
-		soup_given=false
+  blowfish=false
+		blowfish_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" blowfish"
 
-# Check whether --enable-ldap was given.
-if test "${enable_ldap+set}" = set; then :
-  enableval=$enable_ldap; ldap_given=true
+# Check whether --enable-ccm was given.
+if test "${enable_ccm+set}" = set; then :
+  enableval=$enable_ccm; ccm_given=true
 		if test x$enableval = xyes; then
-			ldap=true
+			ccm=true
 		 else
-			ldap=false
+			ccm=false
 		fi
 else
-  ldap=false
-		ldap_given=false
+  ccm=false
+		ccm_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" ccm"
 
-# Check whether --enable-aes was given.
-if test "${enable_aes+set}" = set; then :
-  enableval=$enable_aes; aes_given=true
+# Check whether --enable-cmac was given.
+if test "${enable_cmac+set}" = set; then :
+  enableval=$enable_cmac; cmac_given=true
 		if test x$enableval = xyes; then
-			aes=true
+			cmac=true
 		 else
-			aes=false
+			cmac=false
 		fi
 else
-  aes=true
-		aes_given=false
+  cmac=true
+		cmac_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" aes"
+	enabled_by_default=${enabled_by_default}" cmac"
+
+# Check whether --enable-ctr was given.
+if test "${enable_ctr+set}" = set; then :
+  enableval=$enable_ctr; ctr_given=true
+		if test x$enableval = xyes; then
+			ctr=true
+		 else
+			ctr=false
+		fi
+else
+  ctr=false
+		ctr_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" ctr"
 
 # Check whether --enable-des was given.
 if test "${enable_des+set}" = set; then :
@@ -4635,36 +4674,85 @@ fi
 
 	enabled_by_default=${enabled_by_default}" des"
 
-# Check whether --enable-blowfish was given.
-if test "${enable_blowfish+set}" = set; then :
-  enableval=$enable_blowfish; blowfish_given=true
+# Check whether --enable-fips-prf was given.
+if test "${enable_fips_prf+set}" = set; then :
+  enableval=$enable_fips_prf; fips_prf_given=true
 		if test x$enableval = xyes; then
-			blowfish=true
+			fips_prf=true
 		 else
-			blowfish=false
+			fips_prf=false
 		fi
 else
-  blowfish=false
-		blowfish_given=false
+  fips_prf=true
+		fips_prf_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" fips_prf"
 
-# Check whether --enable-rc2 was given.
-if test "${enable_rc2+set}" = set; then :
-  enableval=$enable_rc2; rc2_given=true
+# Check whether --enable-gcm was given.
+if test "${enable_gcm+set}" = set; then :
+  enableval=$enable_gcm; gcm_given=true
 		if test x$enableval = xyes; then
-			rc2=true
+			gcm=true
 		 else
-			rc2=false
+			gcm=false
 		fi
 else
-  rc2=true
-		rc2_given=false
+  gcm=false
+		gcm_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" rc2"
+	disabled_by_default=${disabled_by_default}" gcm"
+
+# Check whether --enable-gcrypt was given.
+if test "${enable_gcrypt+set}" = set; then :
+  enableval=$enable_gcrypt; gcrypt_given=true
+		if test x$enableval = xyes; then
+			gcrypt=true
+		 else
+			gcrypt=false
+		fi
+else
+  gcrypt=false
+		gcrypt_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" gcrypt"
+
+# Check whether --enable-gmp was given.
+if test "${enable_gmp+set}" = set; then :
+  enableval=$enable_gmp; gmp_given=true
+		if test x$enableval = xyes; then
+			gmp=true
+		 else
+			gmp=false
+		fi
+else
+  gmp=true
+		gmp_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" gmp"
+
+# Check whether --enable-hmac was given.
+if test "${enable_hmac+set}" = set; then :
+  enableval=$enable_hmac; hmac_given=true
+		if test x$enableval = xyes; then
+			hmac=true
+		 else
+			hmac=false
+		fi
+else
+  hmac=true
+		hmac_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" hmac"
 
 # Check whether --enable-md4 was given.
 if test "${enable_md4+set}" = set; then :
@@ -4680,6 +4768,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" md4"
 
 # Check whether --enable-md5 was given.
 if test "${enable_md5+set}" = set; then :
@@ -4697,69 +4786,101 @@ fi
 
 	enabled_by_default=${enabled_by_default}" md5"
 
-# Check whether --enable-sha1 was given.
-if test "${enable_sha1+set}" = set; then :
-  enableval=$enable_sha1; sha1_given=true
+# Check whether --enable-nonce was given.
+if test "${enable_nonce+set}" = set; then :
+  enableval=$enable_nonce; nonce_given=true
 		if test x$enableval = xyes; then
-			sha1=true
+			nonce=true
 		 else
-			sha1=false
+			nonce=false
 		fi
 else
-  sha1=true
-		sha1_given=false
+  nonce=true
+		nonce_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" sha1"
+	enabled_by_default=${enabled_by_default}" nonce"
 
-# Check whether --enable-sha2 was given.
-if test "${enable_sha2+set}" = set; then :
-  enableval=$enable_sha2; sha2_given=true
+# Check whether --enable-ntru was given.
+if test "${enable_ntru+set}" = set; then :
+  enableval=$enable_ntru; ntru_given=true
 		if test x$enableval = xyes; then
-			sha2=true
+			ntru=true
 		 else
-			sha2=false
+			ntru=false
 		fi
 else
-  sha2=true
-		sha2_given=false
+  ntru=false
+		ntru_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" sha2"
+	disabled_by_default=${disabled_by_default}" ntru"
 
-# Check whether --enable-fips-prf was given.
-if test "${enable_fips_prf+set}" = set; then :
-  enableval=$enable_fips_prf; fips_prf_given=true
+# Check whether --enable-openssl was given.
+if test "${enable_openssl+set}" = set; then :
+  enableval=$enable_openssl; openssl_given=true
 		if test x$enableval = xyes; then
-			fips_prf=true
+			openssl=true
 		 else
-			fips_prf=false
+			openssl=false
 		fi
 else
-  fips_prf=true
-		fips_prf_given=false
+  openssl=false
+		openssl_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" fips_prf"
+	disabled_by_default=${disabled_by_default}" openssl"
 
-# Check whether --enable-gmp was given.
-if test "${enable_gmp+set}" = set; then :
-  enableval=$enable_gmp; gmp_given=true
+# Check whether --enable-padlock was given.
+if test "${enable_padlock+set}" = set; then :
+  enableval=$enable_padlock; padlock_given=true
 		if test x$enableval = xyes; then
-			gmp=true
+			padlock=true
 		 else
-			gmp=false
+			padlock=false
 		fi
 else
-  gmp=true
-		gmp_given=false
+  padlock=false
+		padlock_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" gmp"
+	disabled_by_default=${disabled_by_default}" padlock"
+
+# Check whether --enable-random was given.
+if test "${enable_random+set}" = set; then :
+  enableval=$enable_random; random_given=true
+		if test x$enableval = xyes; then
+			random=true
+		 else
+			random=false
+		fi
+else
+  random=true
+		random_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" random"
+
+# Check whether --enable-rc2 was given.
+if test "${enable_rc2+set}" = set; then :
+  enableval=$enable_rc2; rc2_given=true
+		if test x$enableval = xyes; then
+			rc2=true
+		 else
+			rc2=false
+		fi
+else
+  rc2=true
+		rc2_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" rc2"
 
 # Check whether --enable-rdrand was given.
 if test "${enable_rdrand+set}" = set; then :
@@ -4775,102 +4896,104 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" rdrand"
 
-# Check whether --enable-random was given.
-if test "${enable_random+set}" = set; then :
-  enableval=$enable_random; random_given=true
+# Check whether --enable-sha1 was given.
+if test "${enable_sha1+set}" = set; then :
+  enableval=$enable_sha1; sha1_given=true
 		if test x$enableval = xyes; then
-			random=true
+			sha1=true
 		 else
-			random=false
+			sha1=false
 		fi
 else
-  random=true
-		random_given=false
+  sha1=true
+		sha1_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" random"
+	enabled_by_default=${enabled_by_default}" sha1"
 
-# Check whether --enable-nonce was given.
-if test "${enable_nonce+set}" = set; then :
-  enableval=$enable_nonce; nonce_given=true
+# Check whether --enable-sha2 was given.
+if test "${enable_sha2+set}" = set; then :
+  enableval=$enable_sha2; sha2_given=true
 		if test x$enableval = xyes; then
-			nonce=true
+			sha2=true
 		 else
-			nonce=false
+			sha2=false
 		fi
 else
-  nonce=true
-		nonce_given=false
+  sha2=true
+		sha2_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" nonce"
+	enabled_by_default=${enabled_by_default}" sha2"
 
-# Check whether --enable-x509 was given.
-if test "${enable_x509+set}" = set; then :
-  enableval=$enable_x509; x509_given=true
+# Check whether --enable-xcbc was given.
+if test "${enable_xcbc+set}" = set; then :
+  enableval=$enable_xcbc; xcbc_given=true
 		if test x$enableval = xyes; then
-			x509=true
+			xcbc=true
 		 else
-			x509=false
+			xcbc=false
 		fi
 else
-  x509=true
-		x509_given=false
+  xcbc=true
+		xcbc_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" x509"
+	enabled_by_default=${enabled_by_default}" xcbc"
 
-# Check whether --enable-revocation was given.
-if test "${enable_revocation+set}" = set; then :
-  enableval=$enable_revocation; revocation_given=true
+# encoding/decoding plugins
+# Check whether --enable-dnskey was given.
+if test "${enable_dnskey+set}" = set; then :
+  enableval=$enable_dnskey; dnskey_given=true
 		if test x$enableval = xyes; then
-			revocation=true
+			dnskey=true
 		 else
-			revocation=false
+			dnskey=false
 		fi
 else
-  revocation=true
-		revocation_given=false
+  dnskey=true
+		dnskey_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" revocation"
+	enabled_by_default=${enabled_by_default}" dnskey"
 
-# Check whether --enable-constraints was given.
-if test "${enable_constraints+set}" = set; then :
-  enableval=$enable_constraints; constraints_given=true
+# Check whether --enable-pem was given.
+if test "${enable_pem+set}" = set; then :
+  enableval=$enable_pem; pem_given=true
 		if test x$enableval = xyes; then
-			constraints=true
+			pem=true
 		 else
-			constraints=false
+			pem=false
 		fi
 else
-  constraints=true
-		constraints_given=false
+  pem=true
+		pem_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" constraints"
+	enabled_by_default=${enabled_by_default}" pem"
 
-# Check whether --enable-pubkey was given.
-if test "${enable_pubkey+set}" = set; then :
-  enableval=$enable_pubkey; pubkey_given=true
+# Check whether --enable-pgp was given.
+if test "${enable_pgp+set}" = set; then :
+  enableval=$enable_pgp; pgp_given=true
 		if test x$enableval = xyes; then
-			pubkey=true
+			pgp=true
 		 else
-			pubkey=false
+			pgp=false
 		fi
 else
-  pubkey=true
-		pubkey_given=false
+  pgp=true
+		pgp_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" pubkey"
+	enabled_by_default=${enabled_by_default}" pgp"
 
 # Check whether --enable-pkcs1 was given.
 if test "${enable_pkcs1+set}" = set; then :
@@ -4936,37 +5059,21 @@ fi
 
 	enabled_by_default=${enabled_by_default}" pkcs12"
 
-# Check whether --enable-pgp was given.
-if test "${enable_pgp+set}" = set; then :
-  enableval=$enable_pgp; pgp_given=true
-		if test x$enableval = xyes; then
-			pgp=true
-		 else
-			pgp=false
-		fi
-else
-  pgp=true
-		pgp_given=false
-
-fi
-
-	enabled_by_default=${enabled_by_default}" pgp"
-
-# Check whether --enable-dnskey was given.
-if test "${enable_dnskey+set}" = set; then :
-  enableval=$enable_dnskey; dnskey_given=true
+# Check whether --enable-pubkey was given.
+if test "${enable_pubkey+set}" = set; then :
+  enableval=$enable_pubkey; pubkey_given=true
 		if test x$enableval = xyes; then
-			dnskey=true
+			pubkey=true
 		 else
-			dnskey=false
+			pubkey=false
 		fi
 else
-  dnskey=true
-		dnskey_given=false
+  pubkey=true
+		pubkey_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" dnskey"
+	enabled_by_default=${enabled_by_default}" pubkey"
 
 # Check whether --enable-sshkey was given.
 if test "${enable_sshkey+set}" = set; then :
@@ -4984,130 +5091,88 @@ fi
 
 	enabled_by_default=${enabled_by_default}" sshkey"
 
-# Check whether --enable-dnscert was given.
-if test "${enable_dnscert+set}" = set; then :
-  enableval=$enable_dnscert; dnscert_given=true
-		if test x$enableval = xyes; then
-			dnscert=true
-		 else
-			dnscert=false
-		fi
-else
-  dnscert=false
-		dnscert_given=false
-
-fi
-
-
-# Check whether --enable-ipseckey was given.
-if test "${enable_ipseckey+set}" = set; then :
-  enableval=$enable_ipseckey; ipseckey_given=true
-		if test x$enableval = xyes; then
-			ipseckey=true
-		 else
-			ipseckey=false
-		fi
-else
-  ipseckey=false
-		ipseckey_given=false
-
-fi
-
-
-# Check whether --enable-pem was given.
-if test "${enable_pem+set}" = set; then :
-  enableval=$enable_pem; pem_given=true
-		if test x$enableval = xyes; then
-			pem=true
-		 else
-			pem=false
-		fi
-else
-  pem=true
-		pem_given=false
-
-fi
-
-	enabled_by_default=${enabled_by_default}" pem"
-
-# Check whether --enable-hmac was given.
-if test "${enable_hmac+set}" = set; then :
-  enableval=$enable_hmac; hmac_given=true
+# Check whether --enable-x509 was given.
+if test "${enable_x509+set}" = set; then :
+  enableval=$enable_x509; x509_given=true
 		if test x$enableval = xyes; then
-			hmac=true
+			x509=true
 		 else
-			hmac=false
+			x509=false
 		fi
 else
-  hmac=true
-		hmac_given=false
+  x509=true
+		x509_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" hmac"
+	enabled_by_default=${enabled_by_default}" x509"
 
-# Check whether --enable-cmac was given.
-if test "${enable_cmac+set}" = set; then :
-  enableval=$enable_cmac; cmac_given=true
+# fetcher/resolver plugins
+# Check whether --enable-curl was given.
+if test "${enable_curl+set}" = set; then :
+  enableval=$enable_curl; curl_given=true
 		if test x$enableval = xyes; then
-			cmac=true
+			curl=true
 		 else
-			cmac=false
+			curl=false
 		fi
 else
-  cmac=true
-		cmac_given=false
+  curl=false
+		curl_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" cmac"
+	disabled_by_default=${disabled_by_default}" curl"
 
-# Check whether --enable-xcbc was given.
-if test "${enable_xcbc+set}" = set; then :
-  enableval=$enable_xcbc; xcbc_given=true
+# Check whether --enable-ldap was given.
+if test "${enable_ldap+set}" = set; then :
+  enableval=$enable_ldap; ldap_given=true
 		if test x$enableval = xyes; then
-			xcbc=true
+			ldap=true
 		 else
-			xcbc=false
+			ldap=false
 		fi
 else
-  xcbc=true
-		xcbc_given=false
+  ldap=false
+		ldap_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" xcbc"
+	disabled_by_default=${disabled_by_default}" ldap"
 
-# Check whether --enable-af-alg was given.
-if test "${enable_af_alg+set}" = set; then :
-  enableval=$enable_af_alg; af_alg_given=true
+# Check whether --enable-soup was given.
+if test "${enable_soup+set}" = set; then :
+  enableval=$enable_soup; soup_given=true
 		if test x$enableval = xyes; then
-			af_alg=true
+			soup=true
 		 else
-			af_alg=false
+			soup=false
 		fi
 else
-  af_alg=false
-		af_alg_given=false
+  soup=false
+		soup_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" soup"
 
-# Check whether --enable-test-vectors was given.
-if test "${enable_test_vectors+set}" = set; then :
-  enableval=$enable_test_vectors; test_vectors_given=true
+# Check whether --enable-unbound was given.
+if test "${enable_unbound+set}" = set; then :
+  enableval=$enable_unbound; unbound_given=true
 		if test x$enableval = xyes; then
-			test_vectors=true
+			unbound=true
 		 else
-			test_vectors=false
+			unbound=false
 		fi
 else
-  test_vectors=false
-		test_vectors_given=false
+  unbound=false
+		unbound_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" unbound"
 
+# database plugins
 # Check whether --enable-mysql was given.
 if test "${enable_mysql+set}" = set; then :
   enableval=$enable_mysql; mysql_given=true
@@ -5122,6 +5187,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" mysql"
 
 # Check whether --enable-sqlite was given.
 if test "${enable_sqlite+set}" = set; then :
@@ -5137,142 +5203,104 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" sqlite"
 
-# Check whether --enable-stroke was given.
-if test "${enable_stroke+set}" = set; then :
-  enableval=$enable_stroke; stroke_given=true
-		if test x$enableval = xyes; then
-			stroke=true
-		 else
-			stroke=false
-		fi
-else
-  stroke=true
-		stroke_given=false
-
-fi
-
-	enabled_by_default=${enabled_by_default}" stroke"
-
-# Check whether --enable-medsrv was given.
-if test "${enable_medsrv+set}" = set; then :
-  enableval=$enable_medsrv; medsrv_given=true
-		if test x$enableval = xyes; then
-			medsrv=true
-		 else
-			medsrv=false
-		fi
-else
-  medsrv=false
-		medsrv_given=false
-
-fi
-
-
-# Check whether --enable-medcli was given.
-if test "${enable_medcli+set}" = set; then :
-  enableval=$enable_medcli; medcli_given=true
-		if test x$enableval = xyes; then
-			medcli=true
-		 else
-			medcli=false
-		fi
-else
-  medcli=false
-		medcli_given=false
-
-fi
-
-
-# Check whether --enable-smp was given.
-if test "${enable_smp+set}" = set; then :
-  enableval=$enable_smp; smp_given=true
+# authentication/credential plugins
+# Check whether --enable-addrblock was given.
+if test "${enable_addrblock+set}" = set; then :
+  enableval=$enable_addrblock; addrblock_given=true
 		if test x$enableval = xyes; then
-			smp=true
+			addrblock=true
 		 else
-			smp=false
+			addrblock=false
 		fi
 else
-  smp=false
-		smp_given=false
+  addrblock=false
+		addrblock_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" addrblock"
 
-# Check whether --enable-sql was given.
-if test "${enable_sql+set}" = set; then :
-  enableval=$enable_sql; sql_given=true
+# Check whether --enable-acert was given.
+if test "${enable_acert+set}" = set; then :
+  enableval=$enable_acert; acert_given=true
 		if test x$enableval = xyes; then
-			sql=true
+			acert=true
 		 else
-			sql=false
+			acert=false
 		fi
 else
-  sql=false
-		sql_given=false
+  acert=false
+		acert_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" acert"
 
-# Check whether --enable-leak-detective was given.
-if test "${enable_leak_detective+set}" = set; then :
-  enableval=$enable_leak_detective; leak_detective_given=true
+# Check whether --enable-agent was given.
+if test "${enable_agent+set}" = set; then :
+  enableval=$enable_agent; agent_given=true
 		if test x$enableval = xyes; then
-			leak_detective=true
+			agent=true
 		 else
-			leak_detective=false
+			agent=false
 		fi
 else
-  leak_detective=false
-		leak_detective_given=false
+  agent=false
+		agent_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" agent"
 
-# Check whether --enable-lock-profiler was given.
-if test "${enable_lock_profiler+set}" = set; then :
-  enableval=$enable_lock_profiler; lock_profiler_given=true
+# Check whether --enable-constraints was given.
+if test "${enable_constraints+set}" = set; then :
+  enableval=$enable_constraints; constraints_given=true
 		if test x$enableval = xyes; then
-			lock_profiler=true
+			constraints=true
 		 else
-			lock_profiler=false
+			constraints=false
 		fi
 else
-  lock_profiler=false
-		lock_profiler_given=false
+  constraints=true
+		constraints_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" constraints"
 
-# Check whether --enable-unit-tester was given.
-if test "${enable_unit_tester+set}" = set; then :
-  enableval=$enable_unit_tester; unit_tester_given=true
+# Check whether --enable-coupling was given.
+if test "${enable_coupling+set}" = set; then :
+  enableval=$enable_coupling; coupling_given=true
 		if test x$enableval = xyes; then
-			unit_tester=true
+			coupling=true
 		 else
-			unit_tester=false
+			coupling=false
 		fi
 else
-  unit_tester=false
-		unit_tester_given=false
+  coupling=false
+		coupling_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" coupling"
 
-# Check whether --enable-load-tester was given.
-if test "${enable_load_tester+set}" = set; then :
-  enableval=$enable_load_tester; load_tester_given=true
+# Check whether --enable-dnscert was given.
+if test "${enable_dnscert+set}" = set; then :
+  enableval=$enable_dnscert; dnscert_given=true
 		if test x$enableval = xyes; then
-			load_tester=true
+			dnscert=true
 		 else
-			load_tester=false
+			dnscert=false
 		fi
 else
-  load_tester=false
-		load_tester_given=false
+  dnscert=false
+		dnscert_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" dnscert"
 
 # Check whether --enable-eap-sim was given.
 if test "${enable_eap_sim+set}" = set; then :
@@ -5288,6 +5316,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_sim"
 
 # Check whether --enable-eap-sim-file was given.
 if test "${enable_eap_sim_file+set}" = set; then :
@@ -5303,6 +5332,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_sim_file"
 
 # Check whether --enable-eap-sim-pcsc was given.
 if test "${enable_eap_sim_pcsc+set}" = set; then :
@@ -5318,6 +5348,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_sim_pcsc"
 
 # Check whether --enable-eap-aka was given.
 if test "${enable_eap_aka+set}" = set; then :
@@ -5333,6 +5364,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_aka"
 
 # Check whether --enable-eap-aka-3gpp2 was given.
 if test "${enable_eap_aka_3gpp2+set}" = set; then :
@@ -5348,6 +5380,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_aka_3gpp2"
 
 # Check whether --enable-eap-simaka-sql was given.
 if test "${enable_eap_simaka_sql+set}" = set; then :
@@ -5363,6 +5396,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_simaka_sql"
 
 # Check whether --enable-eap-simaka-pseudonym was given.
 if test "${enable_eap_simaka_pseudonym+set}" = set; then :
@@ -5378,6 +5412,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_simaka_pseudonym"
 
 # Check whether --enable-eap-simaka-reauth was given.
 if test "${enable_eap_simaka_reauth+set}" = set; then :
@@ -5393,6 +5428,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_simaka_reauth"
 
 # Check whether --enable-eap-identity was given.
 if test "${enable_eap_identity+set}" = set; then :
@@ -5408,6 +5444,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_identity"
 
 # Check whether --enable-eap-md5 was given.
 if test "${enable_eap_md5+set}" = set; then :
@@ -5423,6 +5460,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_md5"
 
 # Check whether --enable-eap-gtc was given.
 if test "${enable_eap_gtc+set}" = set; then :
@@ -5438,6 +5476,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_gtc"
 
 # Check whether --enable-eap-mschapv2 was given.
 if test "${enable_eap_mschapv2+set}" = set; then :
@@ -5453,6 +5492,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_mschapv2"
 
 # Check whether --enable-eap-tls was given.
 if test "${enable_eap_tls+set}" = set; then :
@@ -5468,6 +5508,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_tls"
 
 # Check whether --enable-eap-ttls was given.
 if test "${enable_eap_ttls+set}" = set; then :
@@ -5483,6 +5524,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_ttls"
 
 # Check whether --enable-eap-peap was given.
 if test "${enable_eap_peap+set}" = set; then :
@@ -5498,6 +5540,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_peap"
 
 # Check whether --enable-eap-tnc was given.
 if test "${enable_eap_tnc+set}" = set; then :
@@ -5513,6 +5556,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_tnc"
 
 # Check whether --enable-eap-dynamic was given.
 if test "${enable_eap_dynamic+set}" = set; then :
@@ -5528,6 +5572,7 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_dynamic"
 
 # Check whether --enable-eap-radius was given.
 if test "${enable_eap_radius+set}" = set; then :
@@ -5543,1188 +5588,1262 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" eap_radius"
 
-# Check whether --enable-xauth-generic was given.
-if test "${enable_xauth_generic+set}" = set; then :
-  enableval=$enable_xauth_generic; xauth_generic_given=true
+# Check whether --enable-ipseckey was given.
+if test "${enable_ipseckey+set}" = set; then :
+  enableval=$enable_ipseckey; ipseckey_given=true
 		if test x$enableval = xyes; then
-			xauth_generic=true
+			ipseckey=true
 		 else
-			xauth_generic=false
+			ipseckey=false
 		fi
 else
-  xauth_generic=true
-		xauth_generic_given=false
+  ipseckey=false
+		ipseckey_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" xauth_generic"
+	disabled_by_default=${disabled_by_default}" ipseckey"
 
-# Check whether --enable-xauth-eap was given.
-if test "${enable_xauth_eap+set}" = set; then :
-  enableval=$enable_xauth_eap; xauth_eap_given=true
+# Check whether --enable-keychain was given.
+if test "${enable_keychain+set}" = set; then :
+  enableval=$enable_keychain; keychain_given=true
 		if test x$enableval = xyes; then
-			xauth_eap=true
+			keychain=true
 		 else
-			xauth_eap=false
+			keychain=false
 		fi
 else
-  xauth_eap=false
-		xauth_eap_given=false
+  keychain=false
+		keychain_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" keychain"
 
-# Check whether --enable-xauth-pam was given.
-if test "${enable_xauth_pam+set}" = set; then :
-  enableval=$enable_xauth_pam; xauth_pam_given=true
+# Check whether --enable-pkcs11 was given.
+if test "${enable_pkcs11+set}" = set; then :
+  enableval=$enable_pkcs11; pkcs11_given=true
 		if test x$enableval = xyes; then
-			xauth_pam=true
+			pkcs11=true
 		 else
-			xauth_pam=false
+			pkcs11=false
 		fi
 else
-  xauth_pam=false
-		xauth_pam_given=false
+  pkcs11=false
+		pkcs11_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" pkcs11"
 
-# Check whether --enable-xauth-noauth was given.
-if test "${enable_xauth_noauth+set}" = set; then :
-  enableval=$enable_xauth_noauth; xauth_noauth_given=true
+# Check whether --enable-revocation was given.
+if test "${enable_revocation+set}" = set; then :
+  enableval=$enable_revocation; revocation_given=true
 		if test x$enableval = xyes; then
-			xauth_noauth=true
+			revocation=true
 		 else
-			xauth_noauth=false
+			revocation=false
 		fi
 else
-  xauth_noauth=false
-		xauth_noauth_given=false
+  revocation=true
+		revocation_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" revocation"
 
-# Check whether --enable-tnc-ifmap was given.
-if test "${enable_tnc_ifmap+set}" = set; then :
-  enableval=$enable_tnc_ifmap; tnc_ifmap_given=true
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+  enableval=$enable_whitelist; whitelist_given=true
 		if test x$enableval = xyes; then
-			tnc_ifmap=true
+			whitelist=true
 		 else
-			tnc_ifmap=false
+			whitelist=false
 		fi
 else
-  tnc_ifmap=false
-		tnc_ifmap_given=false
+  whitelist=false
+		whitelist_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" whitelist"
 
-# Check whether --enable-tnc-pdp was given.
-if test "${enable_tnc_pdp+set}" = set; then :
-  enableval=$enable_tnc_pdp; tnc_pdp_given=true
+# Check whether --enable-xauth-generic was given.
+if test "${enable_xauth_generic+set}" = set; then :
+  enableval=$enable_xauth_generic; xauth_generic_given=true
 		if test x$enableval = xyes; then
-			tnc_pdp=true
+			xauth_generic=true
 		 else
-			tnc_pdp=false
+			xauth_generic=false
 		fi
 else
-  tnc_pdp=false
-		tnc_pdp_given=false
+  xauth_generic=true
+		xauth_generic_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" xauth_generic"
 
-# Check whether --enable-tnc-imc was given.
-if test "${enable_tnc_imc+set}" = set; then :
-  enableval=$enable_tnc_imc; tnc_imc_given=true
+# Check whether --enable-xauth-eap was given.
+if test "${enable_xauth_eap+set}" = set; then :
+  enableval=$enable_xauth_eap; xauth_eap_given=true
 		if test x$enableval = xyes; then
-			tnc_imc=true
+			xauth_eap=true
 		 else
-			tnc_imc=false
+			xauth_eap=false
 		fi
 else
-  tnc_imc=false
-		tnc_imc_given=false
+  xauth_eap=false
+		xauth_eap_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" xauth_eap"
 
-# Check whether --enable-tnc-imv was given.
-if test "${enable_tnc_imv+set}" = set; then :
-  enableval=$enable_tnc_imv; tnc_imv_given=true
+# Check whether --enable-xauth-pam was given.
+if test "${enable_xauth_pam+set}" = set; then :
+  enableval=$enable_xauth_pam; xauth_pam_given=true
 		if test x$enableval = xyes; then
-			tnc_imv=true
+			xauth_pam=true
 		 else
-			tnc_imv=false
+			xauth_pam=false
 		fi
 else
-  tnc_imv=false
-		tnc_imv_given=false
+  xauth_pam=false
+		xauth_pam_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" xauth_pam"
 
-# Check whether --enable-tnccs-11 was given.
-if test "${enable_tnccs_11+set}" = set; then :
-  enableval=$enable_tnccs_11; tnccs_11_given=true
+# Check whether --enable-xauth-noauth was given.
+if test "${enable_xauth_noauth+set}" = set; then :
+  enableval=$enable_xauth_noauth; xauth_noauth_given=true
 		if test x$enableval = xyes; then
-			tnccs_11=true
+			xauth_noauth=true
 		 else
-			tnccs_11=false
+			xauth_noauth=false
 		fi
 else
-  tnccs_11=false
-		tnccs_11_given=false
+  xauth_noauth=false
+		xauth_noauth_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" xauth_noauth"
 
-# Check whether --enable-tnccs-20 was given.
-if test "${enable_tnccs_20+set}" = set; then :
-  enableval=$enable_tnccs_20; tnccs_20_given=true
+# kernel interfaces / sockets
+# Check whether --enable-kernel-netlink was given.
+if test "${enable_kernel_netlink+set}" = set; then :
+  enableval=$enable_kernel_netlink; kernel_netlink_given=true
 		if test x$enableval = xyes; then
-			tnccs_20=true
+			kernel_netlink=true
 		 else
-			tnccs_20=false
+			kernel_netlink=false
 		fi
 else
-  tnccs_20=false
-		tnccs_20_given=false
+  kernel_netlink=true
+		kernel_netlink_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" kernel_netlink"
 
-# Check whether --enable-tnccs-dynamic was given.
-if test "${enable_tnccs_dynamic+set}" = set; then :
-  enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true
+# Check whether --enable-kernel-pfkey was given.
+if test "${enable_kernel_pfkey+set}" = set; then :
+  enableval=$enable_kernel_pfkey; kernel_pfkey_given=true
 		if test x$enableval = xyes; then
-			tnccs_dynamic=true
+			kernel_pfkey=true
 		 else
-			tnccs_dynamic=false
+			kernel_pfkey=false
 		fi
 else
-  tnccs_dynamic=false
-		tnccs_dynamic_given=false
+  kernel_pfkey=false
+		kernel_pfkey_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" kernel_pfkey"
 
-# Check whether --enable-imc-test was given.
-if test "${enable_imc_test+set}" = set; then :
-  enableval=$enable_imc_test; imc_test_given=true
+# Check whether --enable-kernel-pfroute was given.
+if test "${enable_kernel_pfroute+set}" = set; then :
+  enableval=$enable_kernel_pfroute; kernel_pfroute_given=true
 		if test x$enableval = xyes; then
-			imc_test=true
+			kernel_pfroute=true
 		 else
-			imc_test=false
+			kernel_pfroute=false
 		fi
 else
-  imc_test=false
-		imc_test_given=false
+  kernel_pfroute=false
+		kernel_pfroute_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" kernel_pfroute"
 
-# Check whether --enable-imv-test was given.
-if test "${enable_imv_test+set}" = set; then :
-  enableval=$enable_imv_test; imv_test_given=true
+# Check whether --enable-kernel-klips was given.
+if test "${enable_kernel_klips+set}" = set; then :
+  enableval=$enable_kernel_klips; kernel_klips_given=true
 		if test x$enableval = xyes; then
-			imv_test=true
+			kernel_klips=true
 		 else
-			imv_test=false
+			kernel_klips=false
 		fi
 else
-  imv_test=false
-		imv_test_given=false
+  kernel_klips=false
+		kernel_klips_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" kernel_klips"
 
-# Check whether --enable-imc-scanner was given.
-if test "${enable_imc_scanner+set}" = set; then :
-  enableval=$enable_imc_scanner; imc_scanner_given=true
+# Check whether --enable-kernel-libipsec was given.
+if test "${enable_kernel_libipsec+set}" = set; then :
+  enableval=$enable_kernel_libipsec; kernel_libipsec_given=true
 		if test x$enableval = xyes; then
-			imc_scanner=true
+			kernel_libipsec=true
 		 else
-			imc_scanner=false
+			kernel_libipsec=false
 		fi
 else
-  imc_scanner=false
-		imc_scanner_given=false
+  kernel_libipsec=false
+		kernel_libipsec_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" kernel_libipsec"
 
-# Check whether --enable-imv-scanner was given.
-if test "${enable_imv_scanner+set}" = set; then :
-  enableval=$enable_imv_scanner; imv_scanner_given=true
+# Check whether --enable-socket-default was given.
+if test "${enable_socket_default+set}" = set; then :
+  enableval=$enable_socket_default; socket_default_given=true
 		if test x$enableval = xyes; then
-			imv_scanner=true
+			socket_default=true
 		 else
-			imv_scanner=false
+			socket_default=false
 		fi
 else
-  imv_scanner=false
-		imv_scanner_given=false
+  socket_default=true
+		socket_default_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" socket_default"
 
-# Check whether --enable-imc-os was given.
-if test "${enable_imc_os+set}" = set; then :
-  enableval=$enable_imc_os; imc_os_given=true
+# Check whether --enable-socket-dynamic was given.
+if test "${enable_socket_dynamic+set}" = set; then :
+  enableval=$enable_socket_dynamic; socket_dynamic_given=true
 		if test x$enableval = xyes; then
-			imc_os=true
+			socket_dynamic=true
 		 else
-			imc_os=false
+			socket_dynamic=false
 		fi
 else
-  imc_os=false
-		imc_os_given=false
+  socket_dynamic=false
+		socket_dynamic_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" socket_dynamic"
 
-# Check whether --enable-imv-os was given.
-if test "${enable_imv_os+set}" = set; then :
-  enableval=$enable_imv_os; imv_os_given=true
+# configuration/control plugins
+# Check whether --enable-stroke was given.
+if test "${enable_stroke+set}" = set; then :
+  enableval=$enable_stroke; stroke_given=true
 		if test x$enableval = xyes; then
-			imv_os=true
+			stroke=true
 		 else
-			imv_os=false
+			stroke=false
 		fi
 else
-  imv_os=false
-		imv_os_given=false
+  stroke=true
+		stroke_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" stroke"
 
-# Check whether --enable-imc-attestation was given.
-if test "${enable_imc_attestation+set}" = set; then :
-  enableval=$enable_imc_attestation; imc_attestation_given=true
+# Check whether --enable-smp was given.
+if test "${enable_smp+set}" = set; then :
+  enableval=$enable_smp; smp_given=true
 		if test x$enableval = xyes; then
-			imc_attestation=true
+			smp=true
 		 else
-			imc_attestation=false
+			smp=false
 		fi
 else
-  imc_attestation=false
-		imc_attestation_given=false
+  smp=false
+		smp_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" smp"
 
-# Check whether --enable-imv-attestation was given.
-if test "${enable_imv_attestation+set}" = set; then :
-  enableval=$enable_imv_attestation; imv_attestation_given=true
+# Check whether --enable-sql was given.
+if test "${enable_sql+set}" = set; then :
+  enableval=$enable_sql; sql_given=true
 		if test x$enableval = xyes; then
-			imv_attestation=true
+			sql=true
 		 else
-			imv_attestation=false
+			sql=false
 		fi
 else
-  imv_attestation=false
-		imv_attestation_given=false
+  sql=false
+		sql_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" sql"
 
-# Check whether --enable-imc-swid was given.
-if test "${enable_imc_swid+set}" = set; then :
-  enableval=$enable_imc_swid; imc_swid_given=true
+# Check whether --enable-uci was given.
+if test "${enable_uci+set}" = set; then :
+  enableval=$enable_uci; uci_given=true
 		if test x$enableval = xyes; then
-			imc_swid=true
+			uci=true
 		 else
-			imc_swid=false
+			uci=false
 		fi
 else
-  imc_swid=false
-		imc_swid_given=false
+  uci=false
+		uci_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" uci"
 
-# Check whether --enable-imv-swid was given.
-if test "${enable_imv_swid+set}" = set; then :
-  enableval=$enable_imv_swid; imv_swid_given=true
+# attribute provider/consumer plugins
+# Check whether --enable-android-dns was given.
+if test "${enable_android_dns+set}" = set; then :
+  enableval=$enable_android_dns; android_dns_given=true
 		if test x$enableval = xyes; then
-			imv_swid=true
+			android_dns=true
 		 else
-			imv_swid=false
+			android_dns=false
 		fi
 else
-  imv_swid=false
-		imv_swid_given=false
+  android_dns=false
+		android_dns_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" android_dns"
 
-# Check whether --enable-kernel-netlink was given.
-if test "${enable_kernel_netlink+set}" = set; then :
-  enableval=$enable_kernel_netlink; kernel_netlink_given=true
+# Check whether --enable-attr was given.
+if test "${enable_attr+set}" = set; then :
+  enableval=$enable_attr; attr_given=true
 		if test x$enableval = xyes; then
-			kernel_netlink=true
+			attr=true
 		 else
-			kernel_netlink=false
+			attr=false
 		fi
 else
-  kernel_netlink=true
-		kernel_netlink_given=false
+  attr=true
+		attr_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" kernel_netlink"
+	enabled_by_default=${enabled_by_default}" attr"
 
-# Check whether --enable-kernel-pfkey was given.
-if test "${enable_kernel_pfkey+set}" = set; then :
-  enableval=$enable_kernel_pfkey; kernel_pfkey_given=true
+# Check whether --enable-attr-sql was given.
+if test "${enable_attr_sql+set}" = set; then :
+  enableval=$enable_attr_sql; attr_sql_given=true
 		if test x$enableval = xyes; then
-			kernel_pfkey=true
+			attr_sql=true
 		 else
-			kernel_pfkey=false
+			attr_sql=false
 		fi
 else
-  kernel_pfkey=false
-		kernel_pfkey_given=false
+  attr_sql=false
+		attr_sql_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" attr_sql"
 
-# Check whether --enable-kernel-pfroute was given.
-if test "${enable_kernel_pfroute+set}" = set; then :
-  enableval=$enable_kernel_pfroute; kernel_pfroute_given=true
+# Check whether --enable-dhcp was given.
+if test "${enable_dhcp+set}" = set; then :
+  enableval=$enable_dhcp; dhcp_given=true
 		if test x$enableval = xyes; then
-			kernel_pfroute=true
+			dhcp=true
 		 else
-			kernel_pfroute=false
+			dhcp=false
 		fi
 else
-  kernel_pfroute=false
-		kernel_pfroute_given=false
+  dhcp=false
+		dhcp_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" dhcp"
 
-# Check whether --enable-kernel-klips was given.
-if test "${enable_kernel_klips+set}" = set; then :
-  enableval=$enable_kernel_klips; kernel_klips_given=true
+# Check whether --enable-osx-attr was given.
+if test "${enable_osx_attr+set}" = set; then :
+  enableval=$enable_osx_attr; osx_attr_given=true
 		if test x$enableval = xyes; then
-			kernel_klips=true
+			osx_attr=true
 		 else
-			kernel_klips=false
+			osx_attr=false
 		fi
 else
-  kernel_klips=false
-		kernel_klips_given=false
+  osx_attr=false
+		osx_attr_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" osx_attr"
 
-# Check whether --enable-kernel-libipsec was given.
-if test "${enable_kernel_libipsec+set}" = set; then :
-  enableval=$enable_kernel_libipsec; kernel_libipsec_given=true
+# Check whether --enable-resolve was given.
+if test "${enable_resolve+set}" = set; then :
+  enableval=$enable_resolve; resolve_given=true
 		if test x$enableval = xyes; then
-			kernel_libipsec=true
+			resolve=true
 		 else
-			kernel_libipsec=false
+			resolve=false
 		fi
 else
-  kernel_libipsec=false
-		kernel_libipsec_given=false
+  resolve=true
+		resolve_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" resolve"
 
-# Check whether --enable-libipsec was given.
-if test "${enable_libipsec+set}" = set; then :
-  enableval=$enable_libipsec; libipsec_given=true
+# Check whether --enable-unity was given.
+if test "${enable_unity+set}" = set; then :
+  enableval=$enable_unity; unity_given=true
 		if test x$enableval = xyes; then
-			libipsec=true
+			unity=true
 		 else
-			libipsec=false
+			unity=false
 		fi
 else
-  libipsec=false
-		libipsec_given=false
+  unity=false
+		unity_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" unity"
 
-# Check whether --enable-socket-default was given.
-if test "${enable_socket_default+set}" = set; then :
-  enableval=$enable_socket_default; socket_default_given=true
+# TNC modules/plugins
+# Check whether --enable-imc-test was given.
+if test "${enable_imc_test+set}" = set; then :
+  enableval=$enable_imc_test; imc_test_given=true
 		if test x$enableval = xyes; then
-			socket_default=true
+			imc_test=true
 		 else
-			socket_default=false
+			imc_test=false
 		fi
 else
-  socket_default=true
-		socket_default_given=false
+  imc_test=false
+		imc_test_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" socket_default"
+	disabled_by_default=${disabled_by_default}" imc_test"
 
-# Check whether --enable-socket-dynamic was given.
-if test "${enable_socket_dynamic+set}" = set; then :
-  enableval=$enable_socket_dynamic; socket_dynamic_given=true
+# Check whether --enable-imv-test was given.
+if test "${enable_imv_test+set}" = set; then :
+  enableval=$enable_imv_test; imv_test_given=true
 		if test x$enableval = xyes; then
-			socket_dynamic=true
+			imv_test=true
 		 else
-			socket_dynamic=false
+			imv_test=false
 		fi
 else
-  socket_dynamic=false
-		socket_dynamic_given=false
+  imv_test=false
+		imv_test_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" imv_test"
 
-# Check whether --enable-farp was given.
-if test "${enable_farp+set}" = set; then :
-  enableval=$enable_farp; farp_given=true
+# Check whether --enable-imc-scanner was given.
+if test "${enable_imc_scanner+set}" = set; then :
+  enableval=$enable_imc_scanner; imc_scanner_given=true
 		if test x$enableval = xyes; then
-			farp=true
+			imc_scanner=true
 		 else
-			farp=false
+			imc_scanner=false
 		fi
 else
-  farp=false
-		farp_given=false
+  imc_scanner=false
+		imc_scanner_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" imc_scanner"
 
-# Check whether --enable-dumm was given.
-if test "${enable_dumm+set}" = set; then :
-  enableval=$enable_dumm; dumm_given=true
+# Check whether --enable-imv-scanner was given.
+if test "${enable_imv_scanner+set}" = set; then :
+  enableval=$enable_imv_scanner; imv_scanner_given=true
 		if test x$enableval = xyes; then
-			dumm=true
+			imv_scanner=true
 		 else
-			dumm=false
+			imv_scanner=false
 		fi
 else
-  dumm=false
-		dumm_given=false
+  imv_scanner=false
+		imv_scanner_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" imv_scanner"
 
-# Check whether --enable-fast was given.
-if test "${enable_fast+set}" = set; then :
-  enableval=$enable_fast; fast_given=true
+# Check whether --enable-imc-os was given.
+if test "${enable_imc_os+set}" = set; then :
+  enableval=$enable_imc_os; imc_os_given=true
 		if test x$enableval = xyes; then
-			fast=true
+			imc_os=true
 		 else
-			fast=false
+			imc_os=false
 		fi
 else
-  fast=false
-		fast_given=false
+  imc_os=false
+		imc_os_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" imc_os"
 
-# Check whether --enable-manager was given.
-if test "${enable_manager+set}" = set; then :
-  enableval=$enable_manager; manager_given=true
+# Check whether --enable-imv-os was given.
+if test "${enable_imv_os+set}" = set; then :
+  enableval=$enable_imv_os; imv_os_given=true
 		if test x$enableval = xyes; then
-			manager=true
+			imv_os=true
 		 else
-			manager=false
+			imv_os=false
 		fi
 else
-  manager=false
-		manager_given=false
+  imv_os=false
+		imv_os_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" imv_os"
 
-# Check whether --enable-mediation was given.
-if test "${enable_mediation+set}" = set; then :
-  enableval=$enable_mediation; mediation_given=true
+# Check whether --enable-imc-attestation was given.
+if test "${enable_imc_attestation+set}" = set; then :
+  enableval=$enable_imc_attestation; imc_attestation_given=true
 		if test x$enableval = xyes; then
-			mediation=true
+			imc_attestation=true
 		 else
-			mediation=false
+			imc_attestation=false
 		fi
 else
-  mediation=false
-		mediation_given=false
+  imc_attestation=false
+		imc_attestation_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" imc_attestation"
 
-# Check whether --enable-integrity-test was given.
-if test "${enable_integrity_test+set}" = set; then :
-  enableval=$enable_integrity_test; integrity_test_given=true
+# Check whether --enable-imv-attestation was given.
+if test "${enable_imv_attestation+set}" = set; then :
+  enableval=$enable_imv_attestation; imv_attestation_given=true
 		if test x$enableval = xyes; then
-			integrity_test=true
+			imv_attestation=true
 		 else
-			integrity_test=false
+			imv_attestation=false
 		fi
 else
-  integrity_test=false
-		integrity_test_given=false
+  imv_attestation=false
+		imv_attestation_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" imv_attestation"
 
-# Check whether --enable-load-warning was given.
-if test "${enable_load_warning+set}" = set; then :
-  enableval=$enable_load_warning; load_warning_given=true
+# Check whether --enable-imc-swid was given.
+if test "${enable_imc_swid+set}" = set; then :
+  enableval=$enable_imc_swid; imc_swid_given=true
 		if test x$enableval = xyes; then
-			load_warning=true
+			imc_swid=true
 		 else
-			load_warning=false
+			imc_swid=false
 		fi
 else
-  load_warning=true
-		load_warning_given=false
+  imc_swid=false
+		imc_swid_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" load_warning"
+	disabled_by_default=${disabled_by_default}" imc_swid"
 
-# Check whether --enable-ikev1 was given.
-if test "${enable_ikev1+set}" = set; then :
-  enableval=$enable_ikev1; ikev1_given=true
+# Check whether --enable-imv-swid was given.
+if test "${enable_imv_swid+set}" = set; then :
+  enableval=$enable_imv_swid; imv_swid_given=true
 		if test x$enableval = xyes; then
-			ikev1=true
+			imv_swid=true
 		 else
-			ikev1=false
+			imv_swid=false
 		fi
 else
-  ikev1=true
-		ikev1_given=false
+  imv_swid=false
+		imv_swid_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" ikev1"
+	disabled_by_default=${disabled_by_default}" imv_swid"
 
-# Check whether --enable-ikev2 was given.
-if test "${enable_ikev2+set}" = set; then :
-  enableval=$enable_ikev2; ikev2_given=true
+# Check whether --enable-tnc-ifmap was given.
+if test "${enable_tnc_ifmap+set}" = set; then :
+  enableval=$enable_tnc_ifmap; tnc_ifmap_given=true
 		if test x$enableval = xyes; then
-			ikev2=true
+			tnc_ifmap=true
 		 else
-			ikev2=false
+			tnc_ifmap=false
 		fi
 else
-  ikev2=true
-		ikev2_given=false
+  tnc_ifmap=false
+		tnc_ifmap_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" ikev2"
+	disabled_by_default=${disabled_by_default}" tnc_ifmap"
 
-# Check whether --enable-charon was given.
-if test "${enable_charon+set}" = set; then :
-  enableval=$enable_charon; charon_given=true
+# Check whether --enable-tnc-imc was given.
+if test "${enable_tnc_imc+set}" = set; then :
+  enableval=$enable_tnc_imc; tnc_imc_given=true
 		if test x$enableval = xyes; then
-			charon=true
+			tnc_imc=true
 		 else
-			charon=false
+			tnc_imc=false
 		fi
 else
-  charon=true
-		charon_given=false
+  tnc_imc=false
+		tnc_imc_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" charon"
+	disabled_by_default=${disabled_by_default}" tnc_imc"
 
-# Check whether --enable-tools was given.
-if test "${enable_tools+set}" = set; then :
-  enableval=$enable_tools; tools_given=true
+# Check whether --enable-tnc-imv was given.
+if test "${enable_tnc_imv+set}" = set; then :
+  enableval=$enable_tnc_imv; tnc_imv_given=true
 		if test x$enableval = xyes; then
-			tools=true
+			tnc_imv=true
 		 else
-			tools=false
+			tnc_imv=false
 		fi
 else
-  tools=true
-		tools_given=false
+  tnc_imv=false
+		tnc_imv_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" tools"
+	disabled_by_default=${disabled_by_default}" tnc_imv"
 
-# Check whether --enable-scripts was given.
-if test "${enable_scripts+set}" = set; then :
-  enableval=$enable_scripts; scripts_given=true
+# Check whether --enable-tnc-pdp was given.
+if test "${enable_tnc_pdp+set}" = set; then :
+  enableval=$enable_tnc_pdp; tnc_pdp_given=true
 		if test x$enableval = xyes; then
-			scripts=true
+			tnc_pdp=true
 		 else
-			scripts=false
+			tnc_pdp=false
 		fi
 else
-  scripts=true
-		scripts_given=false
+  tnc_pdp=false
+		tnc_pdp_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" scripts"
+	disabled_by_default=${disabled_by_default}" tnc_pdp"
 
-# Check whether --enable-conftest was given.
-if test "${enable_conftest+set}" = set; then :
-  enableval=$enable_conftest; conftest_given=true
+# Check whether --enable-tnccs-11 was given.
+if test "${enable_tnccs_11+set}" = set; then :
+  enableval=$enable_tnccs_11; tnccs_11_given=true
 		if test x$enableval = xyes; then
-			conftest=true
+			tnccs_11=true
 		 else
-			conftest=false
+			tnccs_11=false
 		fi
 else
-  conftest=false
-		conftest_given=false
+  tnccs_11=false
+		tnccs_11_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" tnccs_11"
 
-# Check whether --enable-updown was given.
-if test "${enable_updown+set}" = set; then :
-  enableval=$enable_updown; updown_given=true
+# Check whether --enable-tnccs-20 was given.
+if test "${enable_tnccs_20+set}" = set; then :
+  enableval=$enable_tnccs_20; tnccs_20_given=true
 		if test x$enableval = xyes; then
-			updown=true
+			tnccs_20=true
 		 else
-			updown=false
+			tnccs_20=false
 		fi
 else
-  updown=true
-		updown_given=false
+  tnccs_20=false
+		tnccs_20_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" updown"
+	disabled_by_default=${disabled_by_default}" tnccs_20"
 
-# Check whether --enable-attr was given.
-if test "${enable_attr+set}" = set; then :
-  enableval=$enable_attr; attr_given=true
+# Check whether --enable-tnccs-dynamic was given.
+if test "${enable_tnccs_dynamic+set}" = set; then :
+  enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true
 		if test x$enableval = xyes; then
-			attr=true
+			tnccs_dynamic=true
 		 else
-			attr=false
+			tnccs_dynamic=false
 		fi
 else
-  attr=true
-		attr_given=false
+  tnccs_dynamic=false
+		tnccs_dynamic_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" attr"
+	disabled_by_default=${disabled_by_default}" tnccs_dynamic"
 
-# Check whether --enable-attr-sql was given.
-if test "${enable_attr_sql+set}" = set; then :
-  enableval=$enable_attr_sql; attr_sql_given=true
+# misc plugins
+# Check whether --enable-android-log was given.
+if test "${enable_android_log+set}" = set; then :
+  enableval=$enable_android_log; android_log_given=true
 		if test x$enableval = xyes; then
-			attr_sql=true
+			android_log=true
 		 else
-			attr_sql=false
+			android_log=false
 		fi
 else
-  attr_sql=false
-		attr_sql_given=false
+  android_log=false
+		android_log_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" android_log"
 
-# Check whether --enable-dhcp was given.
-if test "${enable_dhcp+set}" = set; then :
-  enableval=$enable_dhcp; dhcp_given=true
+# Check whether --enable-certexpire was given.
+if test "${enable_certexpire+set}" = set; then :
+  enableval=$enable_certexpire; certexpire_given=true
 		if test x$enableval = xyes; then
-			dhcp=true
+			certexpire=true
 		 else
-			dhcp=false
+			certexpire=false
 		fi
 else
-  dhcp=false
-		dhcp_given=false
+  certexpire=false
+		certexpire_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" certexpire"
 
-# Check whether --enable-resolve was given.
-if test "${enable_resolve+set}" = set; then :
-  enableval=$enable_resolve; resolve_given=true
+# Check whether --enable-duplicheck was given.
+if test "${enable_duplicheck+set}" = set; then :
+  enableval=$enable_duplicheck; duplicheck_given=true
 		if test x$enableval = xyes; then
-			resolve=true
+			duplicheck=true
 		 else
-			resolve=false
+			duplicheck=false
 		fi
 else
-  resolve=true
-		resolve_given=false
+  duplicheck=false
+		duplicheck_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" resolve"
+	disabled_by_default=${disabled_by_default}" duplicheck"
 
-# Check whether --enable-padlock was given.
-if test "${enable_padlock+set}" = set; then :
-  enableval=$enable_padlock; padlock_given=true
+# Check whether --enable-error-notify was given.
+if test "${enable_error_notify+set}" = set; then :
+  enableval=$enable_error_notify; error_notify_given=true
 		if test x$enableval = xyes; then
-			padlock=true
+			error_notify=true
 		 else
-			padlock=false
+			error_notify=false
 		fi
 else
-  padlock=false
-		padlock_given=false
+  error_notify=false
+		error_notify_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" error_notify"
 
-# Check whether --enable-openssl was given.
-if test "${enable_openssl+set}" = set; then :
-  enableval=$enable_openssl; openssl_given=true
+# Check whether --enable-farp was given.
+if test "${enable_farp+set}" = set; then :
+  enableval=$enable_farp; farp_given=true
 		if test x$enableval = xyes; then
-			openssl=true
+			farp=true
 		 else
-			openssl=false
+			farp=false
 		fi
 else
-  openssl=false
-		openssl_given=false
+  farp=false
+		farp_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" farp"
 
-# Check whether --enable-gcrypt was given.
-if test "${enable_gcrypt+set}" = set; then :
-  enableval=$enable_gcrypt; gcrypt_given=true
+# Check whether --enable-ha was given.
+if test "${enable_ha+set}" = set; then :
+  enableval=$enable_ha; ha_given=true
 		if test x$enableval = xyes; then
-			gcrypt=true
+			ha=true
 		 else
-			gcrypt=false
+			ha=false
 		fi
 else
-  gcrypt=false
-		gcrypt_given=false
+  ha=false
+		ha_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" ha"
 
-# Check whether --enable-agent was given.
-if test "${enable_agent+set}" = set; then :
-  enableval=$enable_agent; agent_given=true
+# Check whether --enable-led was given.
+if test "${enable_led+set}" = set; then :
+  enableval=$enable_led; led_given=true
 		if test x$enableval = xyes; then
-			agent=true
+			led=true
 		 else
-			agent=false
+			led=false
 		fi
 else
-  agent=false
-		agent_given=false
+  led=false
+		led_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" led"
 
-# Check whether --enable-keychain was given.
-if test "${enable_keychain+set}" = set; then :
-  enableval=$enable_keychain; keychain_given=true
+# Check whether --enable-load-tester was given.
+if test "${enable_load_tester+set}" = set; then :
+  enableval=$enable_load_tester; load_tester_given=true
 		if test x$enableval = xyes; then
-			keychain=true
+			load_tester=true
 		 else
-			keychain=false
+			load_tester=false
 		fi
 else
-  keychain=false
-		keychain_given=false
+  load_tester=false
+		load_tester_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" load_tester"
 
-# Check whether --enable-pkcs11 was given.
-if test "${enable_pkcs11+set}" = set; then :
-  enableval=$enable_pkcs11; pkcs11_given=true
+# Check whether --enable-lookip was given.
+if test "${enable_lookip+set}" = set; then :
+  enableval=$enable_lookip; lookip_given=true
 		if test x$enableval = xyes; then
-			pkcs11=true
+			lookip=true
 		 else
-			pkcs11=false
+			lookip=false
 		fi
 else
-  pkcs11=false
-		pkcs11_given=false
+  lookip=false
+		lookip_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" lookip"
 
-# Check whether --enable-ctr was given.
-if test "${enable_ctr+set}" = set; then :
-  enableval=$enable_ctr; ctr_given=true
+# Check whether --enable-maemo was given.
+if test "${enable_maemo+set}" = set; then :
+  enableval=$enable_maemo; maemo_given=true
 		if test x$enableval = xyes; then
-			ctr=true
+			maemo=true
 		 else
-			ctr=false
+			maemo=false
 		fi
 else
-  ctr=false
-		ctr_given=false
+  maemo=false
+		maemo_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" maemo"
 
-# Check whether --enable-ccm was given.
-if test "${enable_ccm+set}" = set; then :
-  enableval=$enable_ccm; ccm_given=true
+# Check whether --enable-radattr was given.
+if test "${enable_radattr+set}" = set; then :
+  enableval=$enable_radattr; radattr_given=true
 		if test x$enableval = xyes; then
-			ccm=true
+			radattr=true
 		 else
-			ccm=false
+			radattr=false
 		fi
 else
-  ccm=false
-		ccm_given=false
+  radattr=false
+		radattr_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" radattr"
 
-# Check whether --enable-gcm was given.
-if test "${enable_gcm+set}" = set; then :
-  enableval=$enable_gcm; gcm_given=true
+# Check whether --enable-systime-fix was given.
+if test "${enable_systime_fix+set}" = set; then :
+  enableval=$enable_systime_fix; systime_fix_given=true
 		if test x$enableval = xyes; then
-			gcm=true
+			systime_fix=true
 		 else
-			gcm=false
+			systime_fix=false
 		fi
 else
-  gcm=false
-		gcm_given=false
+  systime_fix=false
+		systime_fix_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" systime_fix"
 
-# Check whether --enable-ntru was given.
-if test "${enable_ntru+set}" = set; then :
-  enableval=$enable_ntru; ntru_given=true
+# Check whether --enable-test-vectors was given.
+if test "${enable_test_vectors+set}" = set; then :
+  enableval=$enable_test_vectors; test_vectors_given=true
 		if test x$enableval = xyes; then
-			ntru=true
+			test_vectors=true
 		 else
-			ntru=false
+			test_vectors=false
 		fi
 else
-  ntru=false
-		ntru_given=false
+  test_vectors=false
+		test_vectors_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" test_vectors"
 
-# Check whether --enable-addrblock was given.
-if test "${enable_addrblock+set}" = set; then :
-  enableval=$enable_addrblock; addrblock_given=true
+# Check whether --enable-unit-tester was given.
+if test "${enable_unit_tester+set}" = set; then :
+  enableval=$enable_unit_tester; unit_tester_given=true
 		if test x$enableval = xyes; then
-			addrblock=true
+			unit_tester=true
 		 else
-			addrblock=false
+			unit_tester=false
 		fi
 else
-  addrblock=false
-		addrblock_given=false
+  unit_tester=false
+		unit_tester_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" unit_tester"
 
-# Check whether --enable-unity was given.
-if test "${enable_unity+set}" = set; then :
-  enableval=$enable_unity; unity_given=true
+# Check whether --enable-updown was given.
+if test "${enable_updown+set}" = set; then :
+  enableval=$enable_updown; updown_given=true
 		if test x$enableval = xyes; then
-			unity=true
+			updown=true
 		 else
-			unity=false
+			updown=false
 		fi
 else
-  unity=false
-		unity_given=false
+  updown=true
+		updown_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" updown"
 
-# Check whether --enable-uci was given.
-if test "${enable_uci+set}" = set; then :
-  enableval=$enable_uci; uci_given=true
+# programs/components
+# Check whether --enable-charon was given.
+if test "${enable_charon+set}" = set; then :
+  enableval=$enable_charon; charon_given=true
 		if test x$enableval = xyes; then
-			uci=true
+			charon=true
 		 else
-			uci=false
+			charon=false
 		fi
 else
-  uci=false
-		uci_given=false
+  charon=true
+		charon_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" charon"
 
-# Check whether --enable-osx-attr was given.
-if test "${enable_osx_attr+set}" = set; then :
-  enableval=$enable_osx_attr; osx_attr_given=true
+# Check whether --enable-cmd was given.
+if test "${enable_cmd+set}" = set; then :
+  enableval=$enable_cmd; cmd_given=true
 		if test x$enableval = xyes; then
-			osx_attr=true
+			cmd=true
 		 else
-			osx_attr=false
+			cmd=false
 		fi
 else
-  osx_attr=false
-		osx_attr_given=false
+  cmd=false
+		cmd_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" cmd"
 
-# Check whether --enable-android-dns was given.
-if test "${enable_android_dns+set}" = set; then :
-  enableval=$enable_android_dns; android_dns_given=true
+# Check whether --enable-conftest was given.
+if test "${enable_conftest+set}" = set; then :
+  enableval=$enable_conftest; conftest_given=true
 		if test x$enableval = xyes; then
-			android_dns=true
+			conftest=true
 		 else
-			android_dns=false
+			conftest=false
 		fi
 else
-  android_dns=false
-		android_dns_given=false
+  conftest=false
+		conftest_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" conftest"
 
-# Check whether --enable-android-log was given.
-if test "${enable_android_log+set}" = set; then :
-  enableval=$enable_android_log; android_log_given=true
+# Check whether --enable-dumm was given.
+if test "${enable_dumm+set}" = set; then :
+  enableval=$enable_dumm; dumm_given=true
 		if test x$enableval = xyes; then
-			android_log=true
+			dumm=true
 		 else
-			android_log=false
+			dumm=false
 		fi
 else
-  android_log=false
-		android_log_given=false
+  dumm=false
+		dumm_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" dumm"
 
-# Check whether --enable-maemo was given.
-if test "${enable_maemo+set}" = set; then :
-  enableval=$enable_maemo; maemo_given=true
+# Check whether --enable-fast was given.
+if test "${enable_fast+set}" = set; then :
+  enableval=$enable_fast; fast_given=true
 		if test x$enableval = xyes; then
-			maemo=true
+			fast=true
 		 else
-			maemo=false
+			fast=false
 		fi
 else
-  maemo=false
-		maemo_given=false
+  fast=false
+		fast_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" fast"
 
-# Check whether --enable-nm was given.
-if test "${enable_nm+set}" = set; then :
-  enableval=$enable_nm; nm_given=true
+# Check whether --enable-libipsec was given.
+if test "${enable_libipsec+set}" = set; then :
+  enableval=$enable_libipsec; libipsec_given=true
 		if test x$enableval = xyes; then
-			nm=true
+			libipsec=true
 		 else
-			nm=false
+			libipsec=false
 		fi
 else
-  nm=false
-		nm_given=false
+  libipsec=false
+		libipsec_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" libipsec"
 
-# Check whether --enable-ha was given.
-if test "${enable_ha+set}" = set; then :
-  enableval=$enable_ha; ha_given=true
+# Check whether --enable-manager was given.
+if test "${enable_manager+set}" = set; then :
+  enableval=$enable_manager; manager_given=true
 		if test x$enableval = xyes; then
-			ha=true
+			manager=true
 		 else
-			ha=false
+			manager=false
 		fi
 else
-  ha=false
-		ha_given=false
+  manager=false
+		manager_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" manager"
 
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
-  enableval=$enable_whitelist; whitelist_given=true
+# Check whether --enable-medcli was given.
+if test "${enable_medcli+set}" = set; then :
+  enableval=$enable_medcli; medcli_given=true
 		if test x$enableval = xyes; then
-			whitelist=true
+			medcli=true
 		 else
-			whitelist=false
+			medcli=false
 		fi
 else
-  whitelist=false
-		whitelist_given=false
+  medcli=false
+		medcli_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" medcli"
 
-# Check whether --enable-lookip was given.
-if test "${enable_lookip+set}" = set; then :
-  enableval=$enable_lookip; lookip_given=true
+# Check whether --enable-medsrv was given.
+if test "${enable_medsrv+set}" = set; then :
+  enableval=$enable_medsrv; medsrv_given=true
 		if test x$enableval = xyes; then
-			lookip=true
+			medsrv=true
 		 else
-			lookip=false
+			medsrv=false
 		fi
 else
-  lookip=false
-		lookip_given=false
+  medsrv=false
+		medsrv_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" medsrv"
 
-# Check whether --enable-error-notify was given.
-if test "${enable_error_notify+set}" = set; then :
-  enableval=$enable_error_notify; error_notify_given=true
+# Check whether --enable-nm was given.
+if test "${enable_nm+set}" = set; then :
+  enableval=$enable_nm; nm_given=true
 		if test x$enableval = xyes; then
-			error_notify=true
+			nm=true
 		 else
-			error_notify=false
+			nm=false
 		fi
 else
-  error_notify=false
-		error_notify_given=false
+  nm=false
+		nm_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" nm"
 
-# Check whether --enable-certexpire was given.
-if test "${enable_certexpire+set}" = set; then :
-  enableval=$enable_certexpire; certexpire_given=true
+# Check whether --enable-scripts was given.
+if test "${enable_scripts+set}" = set; then :
+  enableval=$enable_scripts; scripts_given=true
 		if test x$enableval = xyes; then
-			certexpire=true
+			scripts=true
 		 else
-			certexpire=false
+			scripts=false
 		fi
 else
-  certexpire=false
-		certexpire_given=false
+  scripts=true
+		scripts_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" scripts"
 
-# Check whether --enable-systime-fix was given.
-if test "${enable_systime_fix+set}" = set; then :
-  enableval=$enable_systime_fix; systime_fix_given=true
+# Check whether --enable-tkm was given.
+if test "${enable_tkm+set}" = set; then :
+  enableval=$enable_tkm; tkm_given=true
 		if test x$enableval = xyes; then
-			systime_fix=true
+			tkm=true
 		 else
-			systime_fix=false
+			tkm=false
 		fi
 else
-  systime_fix=false
-		systime_fix_given=false
+  tkm=false
+		tkm_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" tkm"
 
-# Check whether --enable-led was given.
-if test "${enable_led+set}" = set; then :
-  enableval=$enable_led; led_given=true
+# Check whether --enable-tools was given.
+if test "${enable_tools+set}" = set; then :
+  enableval=$enable_tools; tools_given=true
 		if test x$enableval = xyes; then
-			led=true
+			tools=true
 		 else
-			led=false
+			tools=false
 		fi
 else
-  led=false
-		led_given=false
+  tools=true
+		tools_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" tools"
 
-# Check whether --enable-duplicheck was given.
-if test "${enable_duplicheck+set}" = set; then :
-  enableval=$enable_duplicheck; duplicheck_given=true
+# optional features
+# Check whether --enable-bfd-backtraces was given.
+if test "${enable_bfd_backtraces+set}" = set; then :
+  enableval=$enable_bfd_backtraces; bfd_backtraces_given=true
 		if test x$enableval = xyes; then
-			duplicheck=true
+			bfd_backtraces=true
 		 else
-			duplicheck=false
+			bfd_backtraces=false
 		fi
 else
-  duplicheck=false
-		duplicheck_given=false
+  bfd_backtraces=false
+		bfd_backtraces_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" bfd_backtraces"
 
-# Check whether --enable-coupling was given.
-if test "${enable_coupling+set}" = set; then :
-  enableval=$enable_coupling; coupling_given=true
+# Check whether --enable-ikev1 was given.
+if test "${enable_ikev1+set}" = set; then :
+  enableval=$enable_ikev1; ikev1_given=true
 		if test x$enableval = xyes; then
-			coupling=true
+			ikev1=true
 		 else
-			coupling=false
+			ikev1=false
 		fi
 else
-  coupling=false
-		coupling_given=false
+  ikev1=true
+		ikev1_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" ikev1"
 
-# Check whether --enable-radattr was given.
-if test "${enable_radattr+set}" = set; then :
-  enableval=$enable_radattr; radattr_given=true
+# Check whether --enable-ikev2 was given.
+if test "${enable_ikev2+set}" = set; then :
+  enableval=$enable_ikev2; ikev2_given=true
 		if test x$enableval = xyes; then
-			radattr=true
+			ikev2=true
 		 else
-			radattr=false
+			ikev2=false
 		fi
 else
-  radattr=false
-		radattr_given=false
+  ikev2=true
+		ikev2_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" ikev2"
 
-# Check whether --enable-vstr was given.
-if test "${enable_vstr+set}" = set; then :
-  enableval=$enable_vstr; vstr_given=true
+# Check whether --enable-integrity-test was given.
+if test "${enable_integrity_test+set}" = set; then :
+  enableval=$enable_integrity_test; integrity_test_given=true
 		if test x$enableval = xyes; then
-			vstr=true
+			integrity_test=true
 		 else
-			vstr=false
+			integrity_test=false
 		fi
 else
-  vstr=false
-		vstr_given=false
+  integrity_test=false
+		integrity_test_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" integrity_test"
 
-# Check whether --enable-monolithic was given.
-if test "${enable_monolithic+set}" = set; then :
-  enableval=$enable_monolithic; monolithic_given=true
+# Check whether --enable-load-warning was given.
+if test "${enable_load_warning+set}" = set; then :
+  enableval=$enable_load_warning; load_warning_given=true
 		if test x$enableval = xyes; then
-			monolithic=true
+			load_warning=true
 		 else
-			monolithic=false
+			load_warning=false
 		fi
 else
-  monolithic=false
-		monolithic_given=false
+  load_warning=true
+		load_warning_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" load_warning"
 
-# Check whether --enable-bfd-backtraces was given.
-if test "${enable_bfd_backtraces+set}" = set; then :
-  enableval=$enable_bfd_backtraces; bfd_backtraces_given=true
+# Check whether --enable-mediation was given.
+if test "${enable_mediation+set}" = set; then :
+  enableval=$enable_mediation; mediation_given=true
 		if test x$enableval = xyes; then
-			bfd_backtraces=true
+			mediation=true
 		 else
-			bfd_backtraces=false
+			mediation=false
 		fi
 else
-  bfd_backtraces=false
-		bfd_backtraces_given=false
+  mediation=false
+		mediation_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" mediation"
 
 # Check whether --enable-unwind-backtraces was given.
 if test "${enable_unwind_backtraces+set}" = set; then :
@@ -6740,7 +6859,9 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" unwind_backtraces"
 
+# compile options
 # Check whether --enable-coverage was given.
 if test "${enable_coverage+set}" = set; then :
   enableval=$enable_coverage; coverage_given=true
@@ -6755,36 +6876,55 @@ else
 
 fi
 
+	disabled_by_default=${disabled_by_default}" coverage"
 
-# Check whether --enable-tkm was given.
-if test "${enable_tkm+set}" = set; then :
-  enableval=$enable_tkm; tkm_given=true
+# Check whether --enable-leak-detective was given.
+if test "${enable_leak_detective+set}" = set; then :
+  enableval=$enable_leak_detective; leak_detective_given=true
 		if test x$enableval = xyes; then
-			tkm=true
+			leak_detective=true
 		 else
-			tkm=false
+			leak_detective=false
 		fi
 else
-  tkm=false
-		tkm_given=false
+  leak_detective=false
+		leak_detective_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" leak_detective"
 
-# Check whether --enable-cmd was given.
-if test "${enable_cmd+set}" = set; then :
-  enableval=$enable_cmd; cmd_given=true
+# Check whether --enable-lock-profiler was given.
+if test "${enable_lock_profiler+set}" = set; then :
+  enableval=$enable_lock_profiler; lock_profiler_given=true
 		if test x$enableval = xyes; then
-			cmd=true
+			lock_profiler=true
 		 else
-			cmd=false
+			lock_profiler=false
 		fi
 else
-  cmd=false
-		cmd_given=false
+  lock_profiler=false
+		lock_profiler_given=false
 
 fi
 
+	disabled_by_default=${disabled_by_default}" lock_profiler"
+
+# Check whether --enable-monolithic was given.
+if test "${enable_monolithic+set}" = set; then :
+  enableval=$enable_monolithic; monolithic_given=true
+		if test x$enableval = xyes; then
+			monolithic=true
+		 else
+			monolithic=false
+		fi
+else
+  monolithic=false
+		monolithic_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" monolithic"
 
 
 # ===================================
@@ -6811,7 +6951,35 @@ fi
 if test x$defaults = xfalse; then
 	for option in $enabled_by_default; do
 		eval test x\${${option}_given} = xtrue && continue
-		let $option=false
+		eval $option=false
+	done
+fi
+
+# ==============================
+#  option to enable all options
+# ==============================
+
+# Check whether --enable-all was given.
+if test "${enable_all+set}" = set; then :
+  enableval=$enable_all; all_given=true
+		if test x$enableval = xyes; then
+			all=true
+		 else
+			all=false
+		fi
+else
+  all=false
+		all_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" all"
+
+
+if test x$all_given = xtrue; then
+	for option in $disabled_by_default; do
+		eval test x\${${option}_given} = xtrue && continue
+		eval $option=true
 	done
 fi
 
@@ -17646,6 +17814,7 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 		CFLAGS="$save_CFLAGS"
 
+
 fi
 
 
@@ -17948,9 +18117,20 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
 fi
 
 
-# check for the new register_printf_specifier function with len argument,
-# or the deprecated register_printf_function without
-ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
+case "$printf_hooks" in
+auto|builtin|glibc|vstr)
+	;;
+*)
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: invalid printf hook implementation, defaulting to 'auto'" >&5
+$as_echo "$as_me: invalid printf hook implementation, defaulting to 'auto'" >&6;}
+	printf_hooks=auto
+	;;
+esac
+
+if test x$printf_hooks = xauto -o x$printf_hooks = xglibc; then
+	# check for the new register_printf_specifier function with len argument,
+	# or the deprecated register_printf_function without
+	ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
 if test "x$ac_cv_func_register_printf_specifier" = xyes; then :
 
 $as_echo "#define HAVE_PRINTF_SPECIFIER /**/" >>confdefs.h
@@ -17963,9 +18143,14 @@ $as_echo "#define HAVE_PRINTF_FUNCTION /**/" >>confdefs.h
 
 else
 
-			{ $as_echo "$as_me:${as_lineno-$LINENO}: printf does not support custom format specifiers!" >&5
-$as_echo "$as_me: printf does not support custom format specifiers!" >&6;}
-			builtin_printf=true
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: printf(3) does not support custom format specifiers!" >&5
+$as_echo "$as_me: printf(3) does not support custom format specifiers!" >&6;}
+				if test x$printf_hooks = xglibc; then
+					as_fn_error $? "please select a different printf hook implementation" "$LINENO" 5
+				else
+					# fallback to builtin printf hook implementation
+					printf_hooks=builtin
+				fi
 
 
 fi
@@ -17973,8 +18158,9 @@ fi
 
 fi
 
+fi
 
-if test x$vstr = xtrue; then
+if test x$printf_hooks = xvstr; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
 $as_echo_n "checking for main in -lvstr... " >&6; }
 if ${ac_cv_lib_vstr_main+:} false; then :
@@ -18014,10 +18200,9 @@ fi
 
 $as_echo "#define USE_VSTR /**/" >>confdefs.h
 
-	builtin_printf=false
 fi
 
-if test x$builtin_printf = xtrue; then
+if test x$printf_hooks = xbuiltin; then
 
 $as_echo "#define USE_BUILTIN_PRINTF /**/" >>confdefs.h
 
@@ -20162,7 +20347,6 @@ charon_plugins=
 starter_plugins=
 pool_plugins=
 attest_plugins=
-openac_plugins=
 scepclient_plugins=
 pki_plugins=
 scripts_plugins=
@@ -20181,7 +20365,6 @@ t_plugins=
 if test x$test_vectors = xtrue; then
 		s_plugins=${s_plugins}" test-vectors"
 		charon_plugins=${charon_plugins}" test-vectors"
-		openac_plugins=${openac_plugins}" test-vectors"
 		scepclient_plugins=${scepclient_plugins}" test-vectors"
 		pki_plugins=${pki_plugins}" test-vectors"
 
@@ -20255,7 +20438,6 @@ if test x$pkcs11 = xtrue; then
 if test x$aes = xtrue; then
 		s_plugins=${s_plugins}" aes"
 		charon_plugins=${charon_plugins}" aes"
-		openac_plugins=${openac_plugins}" aes"
 		scepclient_plugins=${scepclient_plugins}" aes"
 		pki_plugins=${pki_plugins}" aes"
 		scripts_plugins=${scripts_plugins}" aes"
@@ -20267,7 +20449,6 @@ if test x$aes = xtrue; then
 if test x$des = xtrue; then
 		s_plugins=${s_plugins}" des"
 		charon_plugins=${charon_plugins}" des"
-		openac_plugins=${openac_plugins}" des"
 		scepclient_plugins=${scepclient_plugins}" des"
 		pki_plugins=${pki_plugins}" des"
 		scripts_plugins=${scripts_plugins}" des"
@@ -20279,7 +20460,6 @@ if test x$des = xtrue; then
 if test x$blowfish = xtrue; then
 		s_plugins=${s_plugins}" blowfish"
 		charon_plugins=${charon_plugins}" blowfish"
-		openac_plugins=${openac_plugins}" blowfish"
 		scepclient_plugins=${scepclient_plugins}" blowfish"
 		pki_plugins=${pki_plugins}" blowfish"
 		scripts_plugins=${scripts_plugins}" blowfish"
@@ -20291,7 +20471,6 @@ if test x$blowfish = xtrue; then
 if test x$rc2 = xtrue; then
 		s_plugins=${s_plugins}" rc2"
 		charon_plugins=${charon_plugins}" rc2"
-		openac_plugins=${openac_plugins}" rc2"
 		scepclient_plugins=${scepclient_plugins}" rc2"
 		pki_plugins=${pki_plugins}" rc2"
 		scripts_plugins=${scripts_plugins}" rc2"
@@ -20303,7 +20482,6 @@ if test x$rc2 = xtrue; then
 if test x$sha1 = xtrue; then
 		s_plugins=${s_plugins}" sha1"
 		charon_plugins=${charon_plugins}" sha1"
-		openac_plugins=${openac_plugins}" sha1"
 		scepclient_plugins=${scepclient_plugins}" sha1"
 		pki_plugins=${pki_plugins}" sha1"
 		scripts_plugins=${scripts_plugins}" sha1"
@@ -20317,7 +20495,6 @@ if test x$sha1 = xtrue; then
 if test x$sha2 = xtrue; then
 		s_plugins=${s_plugins}" sha2"
 		charon_plugins=${charon_plugins}" sha2"
-		openac_plugins=${openac_plugins}" sha2"
 		scepclient_plugins=${scepclient_plugins}" sha2"
 		pki_plugins=${pki_plugins}" sha2"
 		scripts_plugins=${scripts_plugins}" sha2"
@@ -20331,7 +20508,6 @@ if test x$sha2 = xtrue; then
 if test x$md4 = xtrue; then
 		s_plugins=${s_plugins}" md4"
 		charon_plugins=${charon_plugins}" md4"
-		openac_plugins=${openac_plugins}" md4"
 		manager_plugins=${manager_plugins}" md4"
 		scepclient_plugins=${scepclient_plugins}" md4"
 		pki_plugins=${pki_plugins}" md4"
@@ -20343,7 +20519,6 @@ if test x$md4 = xtrue; then
 if test x$md5 = xtrue; then
 		s_plugins=${s_plugins}" md5"
 		charon_plugins=${charon_plugins}" md5"
-		openac_plugins=${openac_plugins}" md5"
 		scepclient_plugins=${scepclient_plugins}" md5"
 		pki_plugins=${pki_plugins}" md5"
 		scripts_plugins=${scripts_plugins}" md5"
@@ -20356,7 +20531,6 @@ if test x$md5 = xtrue; then
 if test x$rdrand = xtrue; then
 		s_plugins=${s_plugins}" rdrand"
 		charon_plugins=${charon_plugins}" rdrand"
-		openac_plugins=${openac_plugins}" rdrand"
 		scepclient_plugins=${scepclient_plugins}" rdrand"
 		pki_plugins=${pki_plugins}" rdrand"
 		scripts_plugins=${scripts_plugins}" rdrand"
@@ -20370,7 +20544,6 @@ if test x$rdrand = xtrue; then
 if test x$random = xtrue; then
 		s_plugins=${s_plugins}" random"
 		charon_plugins=${charon_plugins}" random"
-		openac_plugins=${openac_plugins}" random"
 		scepclient_plugins=${scepclient_plugins}" random"
 		pki_plugins=${pki_plugins}" random"
 		scripts_plugins=${scripts_plugins}" random"
@@ -20392,7 +20565,6 @@ if test x$nonce = xtrue; then
 if test x$x509 = xtrue; then
 		s_plugins=${s_plugins}" x509"
 		charon_plugins=${charon_plugins}" x509"
-		openac_plugins=${openac_plugins}" x509"
 		scepclient_plugins=${scepclient_plugins}" x509"
 		pki_plugins=${pki_plugins}" x509"
 		scripts_plugins=${scripts_plugins}" x509"
@@ -20418,6 +20590,12 @@ if test x$constraints = xtrue; then
 
 	fi
 
+if test x$acert = xtrue; then
+		s_plugins=${s_plugins}" acert"
+		charon_plugins=${charon_plugins}" acert"
+
+	fi
+
 if test x$pubkey = xtrue; then
 		s_plugins=${s_plugins}" pubkey"
 		charon_plugins=${charon_plugins}" pubkey"
@@ -20428,7 +20606,6 @@ if test x$pubkey = xtrue; then
 if test x$pkcs1 = xtrue; then
 		s_plugins=${s_plugins}" pkcs1"
 		charon_plugins=${charon_plugins}" pkcs1"
-		openac_plugins=${openac_plugins}" pkcs1"
 		scepclient_plugins=${scepclient_plugins}" pkcs1"
 		pki_plugins=${pki_plugins}" pkcs1"
 		scripts_plugins=${scripts_plugins}" pkcs1"
@@ -20454,7 +20631,6 @@ if test x$pkcs7 = xtrue; then
 if test x$pkcs8 = xtrue; then
 		s_plugins=${s_plugins}" pkcs8"
 		charon_plugins=${charon_plugins}" pkcs8"
-		openac_plugins=${openac_plugins}" pkcs8"
 		scepclient_plugins=${scepclient_plugins}" pkcs8"
 		pki_plugins=${pki_plugins}" pkcs8"
 		scripts_plugins=${scripts_plugins}" pkcs8"
@@ -20513,7 +20689,6 @@ if test x$ipseckey = xtrue; then
 if test x$pem = xtrue; then
 		s_plugins=${s_plugins}" pem"
 		charon_plugins=${charon_plugins}" pem"
-		openac_plugins=${openac_plugins}" pem"
 		scepclient_plugins=${scepclient_plugins}" pem"
 		pki_plugins=${pki_plugins}" pem"
 		scripts_plugins=${scripts_plugins}" pem"
@@ -20534,7 +20709,6 @@ if test x$padlock = xtrue; then
 if test x$openssl = xtrue; then
 		s_plugins=${s_plugins}" openssl"
 		charon_plugins=${charon_plugins}" openssl"
-		openac_plugins=${openac_plugins}" openssl"
 		scepclient_plugins=${scepclient_plugins}" openssl"
 		pki_plugins=${pki_plugins}" openssl"
 		scripts_plugins=${scripts_plugins}" openssl"
@@ -20549,7 +20723,6 @@ if test x$openssl = xtrue; then
 if test x$gcrypt = xtrue; then
 		s_plugins=${s_plugins}" gcrypt"
 		charon_plugins=${charon_plugins}" gcrypt"
-		openac_plugins=${openac_plugins}" gcrypt"
 		scepclient_plugins=${scepclient_plugins}" gcrypt"
 		pki_plugins=${pki_plugins}" gcrypt"
 		scripts_plugins=${scripts_plugins}" gcrypt"
@@ -20564,7 +20737,6 @@ if test x$gcrypt = xtrue; then
 if test x$af_alg = xtrue; then
 		s_plugins=${s_plugins}" af-alg"
 		charon_plugins=${charon_plugins}" af-alg"
-		openac_plugins=${openac_plugins}" af-alg"
 		scepclient_plugins=${scepclient_plugins}" af-alg"
 		pki_plugins=${pki_plugins}" af-alg"
 		scripts_plugins=${scripts_plugins}" af-alg"
@@ -20586,7 +20758,6 @@ if test x$fips_prf = xtrue; then
 if test x$gmp = xtrue; then
 		s_plugins=${s_plugins}" gmp"
 		charon_plugins=${charon_plugins}" gmp"
-		openac_plugins=${openac_plugins}" gmp"
 		scepclient_plugins=${scepclient_plugins}" gmp"
 		pki_plugins=${pki_plugins}" gmp"
 		scripts_plugins=${scripts_plugins}" gmp"
@@ -21125,7 +21296,6 @@ if test x$unit_tester = xtrue; then
 
 
 
-
 # ======================
 #  set Makefile.am vars
 # ======================
@@ -21300,6 +21470,14 @@ else
   USE_CONSTRAINTS_FALSE=
 fi
 
+ if test x$acert = xtrue; then
+  USE_ACERT_TRUE=
+  USE_ACERT_FALSE='#'
+else
+  USE_ACERT_TRUE='#'
+  USE_ACERT_FALSE=
+fi
+
  if test x$pubkey = xtrue; then
   USE_PUBKEY_TRUE=
   USE_PUBKEY_FALSE='#'
@@ -22357,7 +22535,7 @@ else
   USE_LIBCAP_FALSE=
 fi
 
- if test x$vstr = xtrue; then
+ if test x$printf_hooks = xvstr; then
   USE_VSTR_TRUE=
   USE_VSTR_FALSE='#'
 else
@@ -22365,7 +22543,7 @@ else
   USE_VSTR_FALSE=
 fi
 
- if test x$builtin_printf = xtrue; then
+ if test x$printf_hooks = xbuiltin; then
   USE_BUILTIN_PRINTF_TRUE=
   USE_BUILTIN_PRINTF_FALSE='#'
 else
@@ -22535,14 +22713,14 @@ fi
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile scripts/Makefile testing/Makefile"
 
 
 # =================
 #  build man pages
 # =================
 
-ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1"
+ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1"
 
 
 cat >confcache <<\_ACEOF
@@ -22771,6 +22949,10 @@ if test -z "${USE_CONSTRAINTS_TRUE}" && test -z "${USE_CONSTRAINTS_FALSE}"; then
   as_fn_error $? "conditional \"USE_CONSTRAINTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_ACERT_TRUE}" && test -z "${USE_ACERT_FALSE}"; then
+  as_fn_error $? "conditional \"USE_ACERT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
   as_fn_error $? "conditional \"USE_PUBKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23744,7 +23926,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.1.2, which was
+This file was extended by strongSwan $as_me 5.1.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -23810,7 +23992,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.1.2
+strongSwan config.status 5.1.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -24246,6 +24428,7 @@ do
     "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;;
     "src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;;
     "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;;
+    "src/libstrongswan/plugins/acert/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/acert/Makefile" ;;
     "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
     "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
     "src/libstrongswan/plugins/pkcs7/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs7/Makefile" ;;
@@ -24285,6 +24468,7 @@ do
     "src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;;
     "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
     "src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;;
+    "src/libtls/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/tests/Makefile" ;;
     "src/libradius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libradius/Makefile" ;;
     "src/libtncif/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtncif/Makefile" ;;
     "src/libtnccs/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/Makefile" ;;
@@ -24374,7 +24558,6 @@ do
     "src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;;
     "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;;
     "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
-    "src/openac/Makefile") CONFIG_FILES="$CONFIG_FILES src/openac/Makefile" ;;
     "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
     "src/pki/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/Makefile" ;;
     "src/pki/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/man/Makefile" ;;
@@ -24404,6 +24587,7 @@ do
     "src/pki/man/pki---req.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---req.1" ;;
     "src/pki/man/pki---self.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---self.1" ;;
     "src/pki/man/pki---signcrl.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---signcrl.1" ;;
+    "src/pki/man/pki---acert.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---acert.1" ;;
     "src/pki/man/pki---verify.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---verify.1" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
diff --git a/configure.ac b/configure.ac
index 8a925c29a..2ad372b18 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.1.2])
+AC_INIT([strongSwan],[5.1.3])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -66,6 +66,7 @@ ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Co
 ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
 ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
+ARG_WITH_SET([printf-hooks],         [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).])
 
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
@@ -118,53 +119,57 @@ AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
 
 m4_include(m4/macros/enable-disable.m4)
 
-ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
-ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
-ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
-ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
+# crypto plugins
 ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
-ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
+ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
 ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
-ARG_DISBL_SET([rc2],            [disable RC2 software implementation plugin.])
+ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
+ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
+ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
+ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
+ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
+ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
+ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
 ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
 ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
+ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
+ARG_ENABL_SET([ntru],           [enables the NTRU crypto plugin.])
+ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
+ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
+ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
+ARG_DISBL_SET([rc2],            [disable RC2 software implementation plugin.])
+ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
 ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
 ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
-ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
-ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
-ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
-ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
-ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
-ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
-ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
-ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
-ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
+ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
+# encoding/decoding plugins
+ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
+ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
+ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
 ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
 ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
 ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
 ARG_DISBL_SET([pkcs12],         [disable PKCS12 container support plugin.])
-ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
-ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
+ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
 ARG_DISBL_SET([sshkey],         [disable SSH key decoding plugin.])
-ARG_ENABL_SET([dnscert],        [enable DNSCERT authentication plugin.])
-ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
-ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
-ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
-ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
-ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
-ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
-ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
+ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
+# fetcher/resolver plugins
+ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
+ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
+ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
+# database plugins
 ARG_ENABL_SET([mysql],          [enable MySQL database support. Requires libmysqlclient_r.])
 ARG_ENABL_SET([sqlite],         [enable SQLite database support. Requires libsqlite3.])
-ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
-ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
-ARG_ENABL_SET([medcli],         [enable mediation client configuration database plugin.])
-ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
-ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
-ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
-ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
-ARG_ENABL_SET([unit-tester],    [enable unit tests on IKEv2 daemon startup.])
-ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
+# authentication/credential plugins
+ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
+ARG_ENABL_SET([acert],          [enable X509 attribute certificate checking plugin.])
+ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
+ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
+ARG_ENABL_SET([dnscert],        [enable DNSCERT authentication plugin.])
 ARG_ENABL_SET([eap-sim],        [enable SIM authentication module for EAP.])
 ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
 ARG_ENABL_SET([eap-sim-pcsc],   [enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite.])
@@ -183,88 +188,97 @@ ARG_ENABL_SET([eap-peap],       [enable EAP PEAP authentication module.])
 ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
 ARG_ENABL_SET([eap-dynamic],    [enable dynamic EAP proxy module.])
 ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
+ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
+ARG_ENABL_SET([keychain],       [enables OS X Keychain Services credential set.])
+ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
+ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
+ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
 ARG_DISBL_SET([xauth-generic],  [disable generic XAuth backend.])
 ARG_ENABL_SET([xauth-eap],      [enable XAuth backend using EAP methods to verify passwords.])
 ARG_ENABL_SET([xauth-pam],      [enable XAuth backend using PAM to verify passwords.])
 ARG_ENABL_SET([xauth-noauth],   [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
-ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module. Requires libxml])
-ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
-ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
-ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
-ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module. Requires libxml])
-ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
-ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
-ARG_ENABL_SET([imc-test],       [enable IMC test module.])
-ARG_ENABL_SET([imv-test],       [enable IMV test module.])
-ARG_ENABL_SET([imc-scanner],    [enable IMC port scanner module.])
-ARG_ENABL_SET([imv-scanner],    [enable IMV port scanner module.])
-ARG_ENABL_SET([imc-os],         [enable IMC operating system module.])
-ARG_ENABL_SET([imv-os],         [enable IMV operating system module.])
-ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
-ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
-ARG_ENABL_SET([imc-swid],       [enable IMC swid module.])
-ARG_ENABL_SET([imv-swid],       [enable IMV swid module.])
+# kernel interfaces / sockets
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
 ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
 ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
 ARG_ENABL_SET([kernel-klips],   [enable the KLIPS kernel interface.])
 ARG_ENABL_SET([kernel-libipsec],[enable the libipsec kernel interface.])
-ARG_ENABL_SET([libipsec],       [enable user space IPsec implementation.])
 ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.])
 ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
-ARG_ENABL_SET([farp],           [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
-ARG_ENABL_SET([dumm],           [enable the DUMM UML test framework.])
-ARG_ENABL_SET([fast],           [enable libfast (FastCGI Application Server w/ templates.])
-ARG_ENABL_SET([manager],        [enable web management console (proof of concept).])
-ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
-ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
-ARG_DISBL_SET([load-warning],   [disable the charon plugin load option warning in starter.])
-ARG_DISBL_SET([ikev1],          [disable IKEv1 protocol support in charon.])
-ARG_DISBL_SET([ikev2],          [disable IKEv2 protocol support in charon.])
-ARG_DISBL_SET([charon],         [disable the IKEv1/IKEv2 keying daemon charon.])
-ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
-ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
-ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
-ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
+# configuration/control plugins
+ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
+ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
+ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
+ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
+# attribute provider/consumer plugins
+ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
 ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
 ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
 ARG_ENABL_SET([dhcp],           [enable DHCP based attribute provider plugin.])
+ARG_ENABL_SET([osx-attr],       [enable OS X SystemConfiguration attribute handler.])
 ARG_DISBL_SET([resolve],        [disable resolve DNS handler plugin.])
-ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
-ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
-ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
-ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
-ARG_ENABL_SET([keychain],       [enables OS X Keychain Services credential set.])
-ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
-ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
-ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
-ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
-ARG_ENABL_SET([ntru],           [enables the NTRU crypto plugin.])
-ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([unity],          [enables Cisco Unity extension plugin.])
-ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
-ARG_ENABL_SET([osx-attr],       [enable OS X SystemConfiguration attribute handler.])
-ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
+# TNC modules/plugins
+ARG_ENABL_SET([imc-test],       [enable IMC test module.])
+ARG_ENABL_SET([imv-test],       [enable IMV test module.])
+ARG_ENABL_SET([imc-scanner],    [enable IMC port scanner module.])
+ARG_ENABL_SET([imv-scanner],    [enable IMV port scanner module.])
+ARG_ENABL_SET([imc-os],         [enable IMC operating system module.])
+ARG_ENABL_SET([imv-os],         [enable IMV operating system module.])
+ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
+ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
+ARG_ENABL_SET([imc-swid],       [enable IMC swid module.])
+ARG_ENABL_SET([imv-swid],       [enable IMV swid module.])
+ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module. Requires libxml])
+ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
+ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
+ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
+ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module. Requires libxml])
+ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
+ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
+# misc plugins
 ARG_ENABL_SET([android-log],    [enable Android specific logger plugin.])
-ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
-ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
-ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
-ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
-ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
-ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
 ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
-ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
-ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
-ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
+ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
+ARG_ENABL_SET([farp],           [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
+ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
+ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
+ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
+ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
+ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([radattr],        [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
-ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
-ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
+ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
+ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
+ARG_ENABL_SET([unit-tester],    [enable unit tests on IKEv2 daemon startup.])
+ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
+# programs/components
+ARG_DISBL_SET([charon],         [disable the IKEv1/IKEv2 keying daemon charon.])
+ARG_ENABL_SET([cmd],            [enable the command line IKE client charon-cmd.])
+ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
+ARG_ENABL_SET([dumm],           [enable the DUMM UML test framework.])
+ARG_ENABL_SET([fast],           [enable libfast (FastCGI Application Server w/ templates.])
+ARG_ENABL_SET([libipsec],       [enable user space IPsec implementation.])
+ARG_ENABL_SET([manager],        [enable web management console (proof of concept).])
+ARG_ENABL_SET([medcli],         [enable mediation client configuration database plugin.])
+ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
+ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
+ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
+ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
+ARG_DISBL_SET([tools],          [disable additional utilities (scepclient and pki).])
+# optional features
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
+ARG_DISBL_SET([ikev1],          [disable IKEv1 protocol support in charon.])
+ARG_DISBL_SET([ikev2],          [disable IKEv2 protocol support in charon.])
+ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
+ARG_DISBL_SET([load-warning],   [disable the charon plugin load option warning in starter.])
+ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
 ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
+# compile options
 ARG_ENABL_SET([coverage],       [enable lcov coverage report generation.])
-ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
-ARG_ENABL_SET([cmd],            [enable the command line IKE client charon-cmd.])
+ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
+ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
+ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
 
 # ===================================
 #  option to disable default options
@@ -275,7 +289,20 @@ ARG_DISBL_SET([defaults],       [disable all default plugins (they can be enable
 if test x$defaults = xfalse; then
 	for option in $enabled_by_default; do
 		eval test x\${${option}_given} = xtrue && continue
-		let $option=false
+		eval $option=false
+	done
+fi
+
+# ==============================
+#  option to enable all options
+# ==============================
+
+ARG_ENABL_SET([all],            [enable all plugins and features (they can be disabled with their respective --disable options). Mainly for testing.])
+
+if test x$all_given = xtrue; then
+	for option in $disabled_by_default; do
+		eval test x\${${option}_given} = xtrue && continue
+		eval $option=true
 	done
 fi
 
@@ -528,8 +555,7 @@ AC_CHECK_FUNC(
 			 AC_MSG_FAILURE([qsort_r has unknown semantics])])
 		])
 		CFLAGS="$save_CFLAGS"
-	],
-	[]
+	]
 )
 
 AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
@@ -660,28 +686,43 @@ AC_RUN_IFELSE([AC_LANG_SOURCE(
 	[AC_MSG_RESULT([no])]
 )
 
-# check for the new register_printf_specifier function with len argument,
-# or the deprecated register_printf_function without
-AC_CHECK_FUNC(
-	[register_printf_specifier],
-	[AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
-	[AC_CHECK_FUNC(
-		[register_printf_function],
-		[AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])],
-		[
-			AC_MSG_NOTICE([printf does not support custom format specifiers!])
-			builtin_printf=true
-		]
-	)]
-)
+case "$printf_hooks" in
+auto|builtin|glibc|vstr)
+	;;
+*)
+	AC_MSG_NOTICE([invalid printf hook implementation, defaulting to 'auto'])
+	printf_hooks=auto
+	;;
+esac
+
+if test x$printf_hooks = xauto -o x$printf_hooks = xglibc; then
+	# check for the new register_printf_specifier function with len argument,
+	# or the deprecated register_printf_function without
+	AC_CHECK_FUNC(
+		[register_printf_specifier],
+		[AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
+		[AC_CHECK_FUNC(
+			[register_printf_function],
+			[AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])],
+			[
+				AC_MSG_NOTICE([printf(3) does not support custom format specifiers!])
+				if test x$printf_hooks = xglibc; then
+					AC_MSG_ERROR([please select a different printf hook implementation])
+				else
+					# fallback to builtin printf hook implementation
+					printf_hooks=builtin
+				fi
+			]
+		)]
+	)
+fi
 
-if test x$vstr = xtrue; then
+if test x$printf_hooks = xvstr; then
 	AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
 	AC_DEFINE([USE_VSTR], [], [use Vstr string library for printf hooks])
-	builtin_printf=false
 fi
 
-if test x$builtin_printf = xtrue; then
+if test x$printf_hooks = xbuiltin; then
 	AC_DEFINE([USE_BUILTIN_PRINTF], [], [using builtin printf for printf hooks])
 fi
 
@@ -1012,7 +1053,6 @@ charon_plugins=
 starter_plugins=
 pool_plugins=
 attest_plugins=
-openac_plugins=
 scepclient_plugins=
 pki_plugins=
 scripts_plugins=
@@ -1028,7 +1068,7 @@ h_plugins=
 s_plugins=
 t_plugins=
 
-ADD_PLUGIN([test-vectors],         [s charon openac scepclient pki])
+ADD_PLUGIN([test-vectors],         [s charon scepclient pki])
 ADD_PLUGIN([curl],                 [s charon scepclient scripts nm cmd])
 ADD_PLUGIN([soup],                 [s charon scripts nm cmd])
 ADD_PLUGIN([unbound],              [s charon scripts])
@@ -1036,37 +1076,38 @@ ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
 ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
 ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
 ADD_PLUGIN([pkcs11],               [s charon pki nm cmd])
-ADD_PLUGIN([aes],                  [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([des],                  [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([blowfish],             [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([rc2],                  [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha1],                 [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([sha2],                 [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([md4],                  [s charon openac manager scepclient pki nm cmd])
-ADD_PLUGIN([md5],                  [s charon openac scepclient pki scripts attest nm cmd])
-ADD_PLUGIN([rdrand],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([random],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([aes],                  [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([des],                  [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([blowfish],             [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([rc2],                  [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([sha2],                 [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([md4],                  [s charon manager scepclient pki nm cmd])
+ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([random],               [s charon scepclient pki scripts medsrv attest nm cmd])
 ADD_PLUGIN([nonce],                [s charon nm cmd])
-ADD_PLUGIN([x509],                 [s charon openac scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([x509],                 [s charon scepclient pki scripts attest nm cmd])
 ADD_PLUGIN([revocation],           [s charon nm cmd])
 ADD_PLUGIN([constraints],          [s charon nm cmd])
+ADD_PLUGIN([acert],                [s charon])
 ADD_PLUGIN([pubkey],               [s charon cmd])
-ADD_PLUGIN([pkcs1],                [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs1],                [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([pkcs7],                [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs8],                [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([pkcs12],               [s charon scepclient pki scripts cmd])
 ADD_PLUGIN([pgp],                  [s charon])
 ADD_PLUGIN([dnskey],               [s charon pki])
 ADD_PLUGIN([sshkey],               [s charon pki nm cmd])
 ADD_PLUGIN([dnscert],              [c charon])
 ADD_PLUGIN([ipseckey],             [c charon])
-ADD_PLUGIN([pem],                  [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pem],                  [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([padlock],              [s charon])
-ADD_PLUGIN([openssl],              [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([gcrypt],               [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([af-alg],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([openssl],              [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gcrypt],               [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd])
 ADD_PLUGIN([fips-prf],             [s charon nm cmd])
-ADD_PLUGIN([gmp],                  [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([agent],                [s charon nm cmd])
 ADD_PLUGIN([keychain],             [s charon cmd])
 ADD_PLUGIN([xcbc],                 [s charon nm cmd])
@@ -1148,7 +1189,6 @@ AC_SUBST(charon_plugins)
 AC_SUBST(starter_plugins)
 AC_SUBST(pool_plugins)
 AC_SUBST(attest_plugins)
-AC_SUBST(openac_plugins)
 AC_SUBST(scepclient_plugins)
 AC_SUBST(pki_plugins)
 AC_SUBST(scripts_plugins)
@@ -1189,6 +1229,7 @@ AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue)
 AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
 AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
 AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
+AM_CONDITIONAL(USE_ACERT, test x$acert = xtrue)
 AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
 AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
 AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
@@ -1329,8 +1370,8 @@ AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
-AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
-AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$builtin_printf = xtrue)
+AM_CONDITIONAL(USE_VSTR, test x$printf_hooks = xvstr)
+AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$printf_hooks = xbuiltin)
 AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
 AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
 AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
@@ -1414,6 +1455,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/x509/Makefile
 	src/libstrongswan/plugins/revocation/Makefile
 	src/libstrongswan/plugins/constraints/Makefile
+	src/libstrongswan/plugins/acert/Makefile
 	src/libstrongswan/plugins/pubkey/Makefile
 	src/libstrongswan/plugins/pkcs1/Makefile
 	src/libstrongswan/plugins/pkcs7/Makefile
@@ -1453,6 +1495,7 @@ AC_CONFIG_FILES([
 	src/libipsec/Makefile
 	src/libsimaka/Makefile
 	src/libtls/Makefile
+	src/libtls/tests/Makefile
 	src/libradius/Makefile
 	src/libtncif/Makefile
 	src/libtnccs/Makefile
@@ -1542,7 +1585,6 @@ AC_CONFIG_FILES([
 	src/_updown/Makefile
 	src/_updown_espmark/Makefile
 	src/_copyright/Makefile
-	src/openac/Makefile
 	src/scepclient/Makefile
 	src/pki/Makefile
 	src/pki/man/Makefile
@@ -1579,6 +1621,7 @@ AC_CONFIG_FILES([
 	src/pki/man/pki---req.1
 	src/pki/man/pki---self.1
 	src/pki/man/pki---signcrl.1
+	src/pki/man/pki---acert.1
 	src/pki/man/pki---verify.1
 ])
 
diff --git a/init/Makefile.in b/init/Makefile.in
index c9ace238e..9937f3b76 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -347,7 +347,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 766402660..18d789d10 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -316,7 +316,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/m4/macros/enable-disable.m4 b/m4/macros/enable-disable.m4
index 2e4552068..9d51cb9b2 100644
--- a/m4/macros/enable-disable.m4
+++ b/m4/macros/enable-disable.m4
@@ -2,6 +2,7 @@
 # ARG_ENABL_SET(option, help)
 # ---------------------------
 # Create a --enable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $disabled_by_default
 AC_DEFUN([ARG_ENABL_SET],
 	[AC_ARG_ENABLE(
 		[$1],
@@ -14,7 +15,8 @@ AC_DEFUN([ARG_ENABL_SET],
 		fi],
 		[patsubst([$1], [-], [_])=false
 		patsubst([$1], [-], [_])_given=false]
-	)]
+	)
+	disabled_by_default=${disabled_by_default}" patsubst([$1], [-], [_])"]
 )
 
 # ARG_DISBL_SET(option, help)
diff --git a/man/Makefile.in b/man/Makefile.in
index d4a38b10e..72312c469 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -318,7 +318,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 40001f848..f55ce75f1 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -419,7 +419,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/scripts/aes-test.c b/scripts/aes-test.c
index eb94180f8..425a4dc4f 100644
--- a/scripts/aes-test.c
+++ b/scripts/aes-test.c
@@ -313,7 +313,7 @@ static bool do_test_gcm(test_vector_t *test)
 			return FALSE;
 	}
 
-	aead = lib->crypto->create_aead(lib->crypto, alg, test->key.len);
+	aead = lib->crypto->create_aead(lib->crypto, alg, test->key.len, 4);
 	if (!aead)
 	{
 		DBG1(DBG_APP, "algorithm %N or key length (%d bits) not supported",
diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c
index 729472e7d..1768d769b 100644
--- a/scripts/crypt_burn.c
+++ b/scripts/crypt_burn.c
@@ -61,7 +61,7 @@ int main(int argc, char *argv[])
 	if (encryption_algorithm_is_aead(token->algorithm))
 	{
 		aead = lib->crypto->create_aead(lib->crypto,
-										token->algorithm, token->keysize / 8);
+									token->algorithm, token->keysize / 8, 0);
 		if (!aead)
 		{
 			fprintf(stderr, "aead '%s' not supported!\n", argv[1]);
diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index 7ec477aae..84a32f96f 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -105,7 +105,7 @@ static int run_client(host_t *host, identification_t *server,
 			close(fd);
 			return 1;
 		}
-		tls = tls_socket_create(FALSE, server, client, fd, cache);
+		tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE);
 		if (!tls)
 		{
 			close(fd);
@@ -162,7 +162,7 @@ static int serve(host_t *host, identification_t *server,
 		}
 		DBG1(DBG_TLS, "%#H connected", host);
 
-		tls = tls_socket_create(TRUE, server, NULL, cfd, cache);
+		tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE);
 		if (!tls)
 		{
 			close(fd);
diff --git a/src/Makefile.am b/src/Makefile.am
index 7d11893d1..93da4893f 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -73,7 +73,7 @@ if USE_UPDOWN
 endif
 
 if USE_TOOLS
-  SUBDIRS += openac scepclient pki
+  SUBDIRS += scepclient pki
 endif
 
 if USE_CONFTEST
diff --git a/src/Makefile.in b/src/Makefile.in
index 1c2a427f7..d1950d13d 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -95,7 +95,7 @@ host_triplet = @host@
 @USE_NM_TRUE@am__append_16 = charon-nm
 @USE_STROKE_TRUE@am__append_17 = stroke
 @USE_UPDOWN_TRUE@am__append_18 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_19 = openac scepclient pki
+@USE_TOOLS_TRUE@am__append_19 = scepclient pki
 @USE_CONFTEST_TRUE@am__append_20 = conftest
 @USE_DUMM_TRUE@am__append_21 = dumm
 @USE_FAST_TRUE@am__append_22 = libfast
@@ -183,9 +183,9 @@ CTAGS = ctags
 DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
 	libtls libradius libtncif libtnccs libpttls libimcv libpts \
 	libcharon starter ipsec _copyright charon charon-nm stroke \
-	_updown _updown_espmark openac scepclient pki conftest dumm \
-	libfast manager medsrv pool charon-tkm charon-cmd \
-	pt-tls-client checksum
+	_updown _updown_espmark scepclient pki conftest dumm libfast \
+	manager medsrv pool charon-tkm charon-cmd pt-tls-client \
+	checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -381,7 +381,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 0783f9e7b..4377ca0ac 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -339,7 +339,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index e77049543..b015e3d96 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 918bd6a89..ee814a4eb 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index 62d6cd725..0e5c00a14 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 955d15313..edc3d7743 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -347,7 +347,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index f0daff61e..67366a067 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -329,7 +329,6 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	{
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
 					"Failed to create dummy TUN device.");
-		gateway->destroy(gateway);
 		return FALSE;
 	}
 	address = nm_setting_vpn_get_data_item(vpn, "address");
@@ -660,6 +659,10 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 					key->destroy(key);
 					return FALSE;
 				}
+				else if (nm_setting_vpn_get_secret(settings, "password"))
+				{
+					return FALSE;
+				}
 			}
 		}
 		else if (streq(method, "smartcard"))
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 15e654d00..8005d076b 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index f3b7cfd56..f808ce0d7 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -343,7 +343,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index d172b1545..82bbadcf1 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -100,7 +100,6 @@ if USE_CMD
 endif
 
 if USE_TOOLS
-  exes += $(DESTDIR)$(ipsecdir)/openac
   exes += $(DESTDIR)$(ipsecdir)/scepclient
   exes += $(DESTDIR)$(bindir)/pki
 endif
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index cdfbf1016..d798d315e 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -105,8 +105,7 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_CHARON_TRUE@am__append_24 = $(DESTDIR)$(ipsecdir)/charon
 @MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_25 = -DC_PLUGINS=\""${c_plugins}\""
 @USE_CMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd
-@USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/openac \
-@USE_TOOLS_TRUE@	$(DESTDIR)$(ipsecdir)/scepclient \
+@USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient \
 @USE_TOOLS_TRUE@	$(DESTDIR)$(bindir)/pki
 @USE_ATTR_SQL_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/pool
 @USE_IMV_ATTESTATION_TRUE@am__append_29 = $(DESTDIR)$(ipsecdir)/attest
@@ -412,7 +411,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index ee6bf57f5..453e8f827 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -357,7 +357,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index f1628ef69..2f7b2ea9c 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -378,7 +378,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 1987dbde5..f5277e314 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 69b736a7a..545123bfd 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index b7d820e21..17010608f 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.1.2rc2" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.2.0dr1" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 3c1f99825..61632188a 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -70,7 +70,6 @@ case "$1" in
 	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
 	echo "	rereadacerts|rereadcrls|rereadall"
 	echo "	purgeocsp|purgecrls|purgecerts|purgeike"
-	echo "	openac"
 	echo "	scepclient"
 	echo "	secrets"
 	echo "	starter"
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 5f8453616..b300df3b2 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -870,7 +870,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index c74daa0cc..e08bb3f67 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -385,7 +385,7 @@ METHOD(ike_cfg_t, equals, bool,
 		return FALSE;
 	}
 	e1 = this->proposals->create_enumerator(this->proposals);
-	e2 = this->proposals->create_enumerator(this->proposals);
+	e2 = other->proposals->create_enumerator(other->proposals);
 	while (e1->enumerate(e1, &p1) && e2->enumerate(e2, &p2))
 	{
 		if (!p1->equals(p1, p2))
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 891d1be84..2ecdb4f2e 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2014 Tobias Brunner
  * Copyright (C) 2006-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -193,7 +193,7 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
 {
 	enumerator_t *e1, *e2;
 	u_int16_t alg1, alg2, ks1, ks2;
-	bool found = FALSE;
+	bool found = FALSE, optional = FALSE;
 
 	if (type == INTEGRITY_ALGORITHM &&
 		selected->get_algorithm(selected, ENCRYPTION_ALGORITHM, &alg1, NULL) &&
@@ -202,12 +202,27 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
 		/* no integrity algorithm required, we have an AEAD */
 		return TRUE;
 	}
+	if (type == DIFFIE_HELLMAN_GROUP)
+	{
+		optional = this->protocol == PROTO_ESP || this->protocol == PROTO_AH;
+	}
 
 	e1 = create_enumerator(this, type);
 	e2 = other->create_enumerator(other, type);
-	if (!e1->enumerate(e1, NULL, NULL) && !e2->enumerate(e2, NULL, NULL))
+	if (!e1->enumerate(e1, NULL, NULL))
 	{
-		found = TRUE;
+		if (!e2->enumerate(e2, &alg2, NULL))
+		{
+			found = TRUE;
+		}
+		else if (optional)
+		{
+			do
+			{	/* if the other peer proposes NONE, we accept the proposal */
+				found = !alg2;
+			}
+			while (!found && e2->enumerate(e2, &alg2, NULL));
+		}
 	}
 
 	e1->destroy(e1);
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index a32f5705d..05d41051b 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -224,6 +224,9 @@ METHOD(cert_payload_t, get_cert, certificate_t*,
 		case ENC_X509_SIGNATURE:
 			type = CERT_X509;
 			break;
+		case ENC_X509_ATTRIBUTE:
+			type = CERT_X509_AC;
+			break;
 		case ENC_CRL:
 			type = CERT_X509_CRL;
 			break;
@@ -333,6 +336,9 @@ cert_payload_t *cert_payload_create_from_cert(payload_type_t type,
 		case CERT_X509:
 			this->encoding = ENC_X509_SIGNATURE;
 			break;
+		case CERT_X509_AC:
+			this->encoding = ENC_X509_ATTRIBUTE;
+			break;
 		default:
 			DBG1(DBG_ENC, "embedding %N certificate in payload failed",
 				 certificate_type_names, cert->get_type(cert));
@@ -380,4 +386,3 @@ cert_payload_t *cert_payload_create_custom(payload_type_t type,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index cb9b359b3..3e35b75c6 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -361,12 +361,20 @@ METHOD(payload_t, verify, status_t,
 			}
 			break;
 		case PROTO_IKE:
-			if (this->spi.len != 0 && this->spi.len  != 8)
+			if (this->type == PROPOSAL_SUBSTRUCTURE_V1)
 			{
-				DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
-				return FAILED;
+				if (this->spi.len <= 16)
+				{	/* according to RFC 2409, section 3.5 anything between
+					 * 0 and 16 is fine */
+					break;
+				}
 			}
-			break;
+			else if (this->spi.len == 0 || this->spi.len  == 8)
+			{
+				break;
+			}
+			DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
+			return FAILED;
 		default:
 			break;
 	}
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index bc32b5ade..0aa635a43 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 6278a6234..f44734cc6 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index ae64a8758..361b36187 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index f812770f3..e218c8a4f 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index d8eb802b7..bb951264f 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 395cd76ea..81f2b7868 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index e092771f4..f5325b566 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -47,22 +47,6 @@ struct private_dhcp_provider_t {
 };
 
 /**
- * Hashtable hash function
- */
-static u_int hash(void *key)
-{
-	return (uintptr_t)key;
-}
-
-/**
- * Hashtable equals function
- */
-static bool equals(void *a, void *b)
-{
-	return a == b;
-}
-
-/**
  * Hash ID and host to a key
  */
 static uintptr_t hash_id_host(identification_t *id, host_t *host)
@@ -226,7 +210,8 @@ dhcp_provider_t *dhcp_provider_create(dhcp_socket_t *socket)
 		},
 		.socket = socket,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.transactions = hashtable_create(hash, equals, 8),
+		.transactions = hashtable_create(hashtable_hash_ptr,
+										 hashtable_equals_ptr, 8),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index 4be453ea8..d9eeddf70 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index e9da68ee8..0b12cf320 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -380,7 +380,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 67cf66720..9e771ae46 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 7d6ae956c..91c4bb10b 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 6ff0acb32..16d0b4203 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 99ae94e37..1c8d51b94 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 688879a82..4c536b2a0 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 150b131f0..d9938dd00 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index d52f26a9a..7caac9c76 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 49e3dd142..511506869 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -792,12 +792,14 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 					 "invalid auth string");
 				goto error;
 			}
+			chunk_free(&auth_string);
 			hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
 			auth_string = chunk_from_hex(hex, NULL);
 		}
 		else if (strpfx(token, "M="))
 		{
 			token += 2;
+			free(msg);
 			msg = strdup(token);
 		}
 	}
@@ -883,6 +885,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 					 "invalid challenge");
 				goto error;
 			}
+			chunk_free(&challenge);
 			hex = chunk_create(token, 2 * CHALLENGE_LEN);
 			challenge = chunk_from_hex(hex, NULL);
 		}
@@ -893,6 +896,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 		else if (strpfx(token, "M="))
 		{
 			token += 2;
+			free(msg);
 			msg = strdup(token);
 		}
 	}
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 7ac4a6edf..29d8c8bb0 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 3e2bf046d..fbce3127f 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 8c780e78d..5fb1bbb75 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -410,7 +410,12 @@ static job_requeue_t send_interim(interim_data_t *data)
 	{
 		if (!send_message(this, message))
 		{
-			eap_radius_handle_timeout(data->id);
+			if (lib->settings->get_bool(lib->settings,
+							"%s.plugins.eap-radius.accounting_close_on_timeout",
+							TRUE, lib->ns))
+			{
+				eap_radius_handle_timeout(data->id);
+			}
 		}
 		message->destroy(message);
 	}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index b873e1d69..54d52a98c 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -74,22 +74,6 @@ typedef struct {
 static private_eap_radius_forward_t *singleton = NULL;
 
 /**
- * Hashtable hash function
- */
-static u_int hash(uintptr_t key)
-{
-	return key;
-}
-
-/**
- * Hashtable equals function
- */
-static bool equals(uintptr_t a, uintptr_t b)
-{
-	return a == b;
-}
-
-/**
  * Free a queue entry
  */
 static void free_attribute(chunk_t *chunk)
@@ -442,10 +426,8 @@ eap_radius_forward_t *eap_radius_forward_create()
 		.to_attr = parse_selector(lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.forward.radius_to_ike", "",
 							lib->ns)),
-		.from = hashtable_create((hashtable_hash_t)hash,
-						(hashtable_equals_t)equals, 8),
-		.to = hashtable_create((hashtable_hash_t)hash,
-						(hashtable_equals_t)equals, 8),
+		.from = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8),
+		.to = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 3707f64f3..10b881f59 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 05bbc3129..e4552d196 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index a22a5c355..628f5372a 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 189baacbc..4a8127fc1 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 33443a1d2..8ac480d48 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 02cf1532c..79b45a9c1 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index ec189f895..c2b8b4feb 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 6d4ff8756..1f2ace21d 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index a22b1e220..b6937877d 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index d8a135cc1..8dd787569 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -381,7 +381,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 60c55f01e..13f0e5260 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 2f3263064..d7a77ee17 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index ce1afe6f9..60e75fc7e 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -59,22 +59,6 @@ struct private_ha_cache_t {
 };
 
 /**
- * Hashtable hash function
- */
-static u_int hash(void *key)
-{
-	return (uintptr_t)key;
-}
-
-/**
- * Hashtable equals function
- */
-static bool equals(void *a, void *b)
-{
-	return a == b;
-}
-
-/**
  * Cache entry for an IKE_SA
  */
 typedef struct {
@@ -380,7 +364,7 @@ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket,
 		.count = count,
 		.kernel = kernel,
 		.socket = socket,
-		.cache = hashtable_create(hash, equals, 8),
+		.cache = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 2ee5a49f1..1f62f4026 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 1726c689c..3bc289d22 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 48163aff2..f7179cfe8 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 2369044dd..561d69a23 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -383,7 +383,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 4b6d214de..57aaeeaeb 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -379,7 +379,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 314088a25..e1d4ee301 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 8d7ca04e6..b6a04dfe7 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 7abc23e50..82d985e57 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index b891f55f1..ce8d67c53 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index bf85d5713..3dbebd807 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 43f3c6fbf..e0134e7a2 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 155113e48..894c1f9dc 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index da40a433b..a0e2d2d93 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 963804932..02967d0dd 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 11a8771cc..253203de7 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index ea168058f..1aa49ce0d 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -31,8 +31,9 @@
 #include <credentials/certificates/ac.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/pgp_certificate.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
 #include <config/peer_cfg.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
 
 /* warning intervals for list functions */
 #define CERT_WARNING_INTERVAL  30	/* days */
@@ -1027,16 +1028,19 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 {
 	bool first = TRUE;
-	time_t thisUpdate, nextUpdate, now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
+	time_t notBefore, notAfter, now = time(NULL);
+	enumerator_t *enumerator;
 	certificate_t *cert;
 
-	while (enumerator->enumerate(enumerator, (void**)&cert))
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &cert))
 	{
 		ac_t *ac = (ac_t*)cert;
+		ac_group_type_t type;
 		identification_t *id;
-		ietf_attributes_t *groups;
+		enumerator_t *groups;
 		chunk_t chunk;
+		bool firstgroup = TRUE;
 
 		if (first)
 		{
@@ -1061,30 +1065,79 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 		{
 			fprintf(out, "  hserial:   %#B\n", &chunk);
 		}
-		groups = ac->get_groups(ac);
-		if (groups)
+		groups = ac->create_group_enumerator(ac);
+		while (groups->enumerate(groups, &type, &chunk))
 		{
-			fprintf(out, "  groups:    %s\n", groups->get_string(groups));
-			groups->destroy(groups);
+			int oid;
+			char *str;
+
+			if (firstgroup)
+			{
+				fprintf(out, "  groups:    ");
+				firstgroup = FALSE;
+			}
+			else
+			{
+				fprintf(out, "             ");
+			}
+			switch (type)
+			{
+				case AC_GROUP_TYPE_STRING:
+					fprintf(out, "%.*s", (int)chunk.len, chunk.ptr);
+					break;
+				case AC_GROUP_TYPE_OID:
+					oid = asn1_known_oid(chunk);
+					if (oid == OID_UNKNOWN)
+					{
+						str = asn1_oid_to_string(chunk);
+						if (str)
+						{
+							fprintf(out, "%s", str);
+							free(str);
+						}
+						else
+						{
+							fprintf(out, "OID:%#B", &chunk);
+						}
+					}
+					else
+					{
+						fprintf(out, "%s", oid_names[oid].name);
+					}
+					break;
+				case AC_GROUP_TYPE_OCTETS:
+					fprintf(out, "%#B", &chunk);
+					break;
+			}
+			fprintf(out, "\n");
 		}
+		groups->destroy(groups);
 		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 		chunk  = chunk_skip_zero(ac->get_serial(ac));
 		fprintf(out, "  serial:    %#B\n", &chunk);
 
 		/* list validity */
-		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %T, ", &nextUpdate, utc);
-		if (now > nextUpdate)
+		cert->get_validity(cert, &now, &notBefore, &notAfter);
+		fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
+		if (now < notBefore)
 		{
-			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
+			fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
+		}
+		else
+		{
+			fprintf(out, "ok\n");
+		}
+		fprintf(out, "             not after  %T, ", &notAfter, utc);
+		if (now > notAfter)
+		{
+			fprintf(out, "expired (%V ago)\n", &now, &notAfter);
 		}
 		else
 		{
 			fprintf(out, "ok");
-			if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24)
+			if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24)
 			{
-				fprintf(out, " (expires in %V)", &now, &nextUpdate);
+				fprintf(out, " (expires in %V)", &now, &notAfter);
 			}
 			fprintf(out, " \n");
 		}
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 63724728a..76b2c5703 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index ace18e77c..194113088 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index 8f24daea3..a652e7067 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -779,7 +779,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 			return FALSE;
 		}
 		DBG1(DBG_TNC, "loaded MAP client certificate from '%s'", client_cert);
-		this->creds->add_cert(this->creds, TRUE, cert);
+		cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
 
 		/* load MAP client private key */
 		if (client_key)
@@ -876,7 +876,8 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 	}
 
 	/* open TLS socket */
-	this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, NULL);
+	this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
+								  NULL, TLS_1_2, FALSE);
 	if (!this->tls)
 	{
 		DBG1(DBG_TNC, "creating TLS socket failed");
@@ -923,4 +924,3 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.am b/src/libcharon/plugins/tnc_pdp/Makefile.am
index cc7c934d8..48de82571 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.am
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.am
@@ -15,12 +15,13 @@ if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la
 else
 plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
+endif
+
 libstrongswan_tnc_pdp_la_LIBADD = \
 	$(top_builddir)/src/libradius/libradius.la \
 	$(top_builddir)/src/libpttls/libpttls.la \
 	$(top_builddir)/src/libtls/libtls.la \
 	$(top_builddir)/src/libtnccs/libtnccs.la
-endif
 
 libstrongswan_tnc_pdp_la_SOURCES = \
 	tnc_pdp_plugin.h tnc_pdp_plugin.c \
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index b2958efdb..875aa99d1 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -127,11 +127,11 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-@MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_DEPENDENCIES =  \
-@MONOLITHIC_FALSE@	$(top_builddir)/src/libradius/libradius.la \
-@MONOLITHIC_FALSE@	$(top_builddir)/src/libpttls/libpttls.la \
-@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la \
-@MONOLITHIC_FALSE@	$(top_builddir)/src/libtnccs/libtnccs.la
+libstrongswan_tnc_pdp_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libradius/libradius.la \
+	$(top_builddir)/src/libpttls/libpttls.la \
+	$(top_builddir)/src/libtls/libtls.la \
+	$(top_builddir)/src/libtnccs/libtnccs.la
 am_libstrongswan_tnc_pdp_la_OBJECTS = tnc_pdp_plugin.lo tnc_pdp.lo \
 	tnc_pdp_connections.lo
 libstrongswan_tnc_pdp_la_OBJECTS =  \
@@ -377,7 +377,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -432,11 +431,11 @@ AM_CFLAGS = \
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
-@MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_LIBADD = \
-@MONOLITHIC_FALSE@	$(top_builddir)/src/libradius/libradius.la \
-@MONOLITHIC_FALSE@	$(top_builddir)/src/libpttls/libpttls.la \
-@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la \
-@MONOLITHIC_FALSE@	$(top_builddir)/src/libtnccs/libtnccs.la
+libstrongswan_tnc_pdp_la_LIBADD = \
+	$(top_builddir)/src/libradius/libradius.la \
+	$(top_builddir)/src/libpttls/libpttls.la \
+	$(top_builddir)/src/libtls/libtls.la \
+	$(top_builddir)/src/libtnccs/libtnccs.la
 
 libstrongswan_tnc_pdp_la_SOURCES = \
 	tnc_pdp_plugin.h tnc_pdp_plugin.c \
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index b2b473c32..8c38ceade 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 2d9f59678..165590dee 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 65fe14e1d..efb7e958d 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index e2d6d32fb..36cf78eca 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index aa8ad2e10..e3588ad7d 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -380,7 +380,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index cf0c326e3..b78a91764 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 2d18f60df..e4d96a954 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 8173631ae..5fe4c064f 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 1ee269e04..2a6aec0c3 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 8c7ba8d55..88ad14faf 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -97,10 +97,35 @@ static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
 {
 	aead_t *aead_i, *aead_r;
 	chunk_t key = chunk_empty;
+	u_int salt_size;
+
+	switch (alg)
+	{
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+			/* RFC 4106 */
+			salt_size = 4;
+			break;
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+			/* RFC 4309 */
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
+			/* RFC 5529 */
+			salt_size = 3;
+			break;
+		default:
+			DBG1(DBG_IKE, "nonce size for %N unknown!",
+				 encryption_algorithm_names, alg);
+			return FALSE;
+	}
 
 	/* SK_ei/SK_er used for encryption */
-	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
-	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
+	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
 	if (aead_i == NULL || aead_r == NULL)
 	{
 		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index ac3be900f..a5252ab70 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this,
 			case CREATE_CHILD_SA:
 			{	/* FIXME: we should prevent this on mediation connections */
 				bool notify_found = FALSE, ts_found = FALSE;
+
+				if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+					this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
+				{
+					DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
+						 "unestablished IKE_SA, rejected");
+					return FAILED;
+				}
+
 				enumerator = message->create_payload_enumerator(message);
 				while (enumerator->enumerate(enumerator, &payload))
 				{
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index e898efc88..88b032c8b 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -17,6 +17,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/delete_payload.h>
+#include <sa/ikev2/tasks/child_create.h>
 
 
 typedef struct private_child_delete_t private_child_delete_t;
@@ -313,6 +314,17 @@ METHOD(task_t, build_i, status_t,
 	}
 	log_children(this);
 	build_payloads(this, message);
+
+	if (!this->rekeyed && this->expired)
+	{
+		child_cfg_t *child_cfg;
+
+		DBG1(DBG_IKE, "scheduling CHILD_SA recreate after hard expire");
+		child_cfg = child_sa->get_config(child_sa);
+		this->ike_sa->queue_task(this->ike_sa, (task_t*)
+				child_create_create(this->ike_sa, child_cfg->get_ref(child_cfg),
+									FALSE, NULL, NULL));
+	}
 	return NEED_MORE;
 }
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
index a93e5137e..6dbc4dec3 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -22,6 +22,7 @@
 #include <encoding/payloads/certreq_payload.h>
 #include <encoding/payloads/auth_payload.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
 
 
 typedef struct private_ike_cert_post_t private_ike_cert_post_t;
@@ -105,12 +106,109 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
 }
 
 /**
+ * Add subject certificate to message
+ */
+static bool add_subject_cert(private_ike_cert_post_t *this, auth_cfg_t *auth,
+							 message_t *message)
+{
+	cert_payload_t *payload;
+	certificate_t *cert;
+
+	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (!cert)
+	{
+		return FALSE;
+	}
+	payload = build_cert_payload(this, cert);
+	if (!payload)
+	{
+		return FALSE;
+	}
+	DBG1(DBG_IKE, "sending end entity cert \"%Y\"", cert->get_subject(cert));
+	message->add_payload(message, (payload_t*)payload);
+	return TRUE;
+}
+
+/**
+ * Add intermediate CA certificates to message
+ */
+static void add_im_certs(private_ike_cert_post_t *this, auth_cfg_t *auth,
+						 message_t *message)
+{
+	cert_payload_t *payload;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	auth_rule_t type;
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &cert))
+	{
+		if (type == AUTH_RULE_IM_CERT)
+		{
+			payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+			if (payload)
+			{
+				DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
+					 cert->get_subject(cert));
+				message->add_payload(message, (payload_t*)payload);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Add any valid attribute certificates of subject to message
+ */
+static void add_attribute_certs(private_ike_cert_post_t *this,
+								auth_cfg_t *auth, message_t *message)
+{
+	certificate_t *subject, *cert;
+
+	subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (subject && subject->get_type(subject) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)subject;
+		identification_t *id, *serial;
+		enumerator_t *enumerator;
+		cert_payload_t *payload;
+		ac_t *ac;
+
+		/* we look for attribute certs having our serial and holder issuer,
+		 * which is recommended by RFC 5755 */
+		serial = identification_create_from_encoding(ID_KEY_ID,
+													 x509->get_serial(x509));
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+										CERT_X509_AC, KEY_ANY, serial, FALSE);
+		while (enumerator->enumerate(enumerator, &ac))
+		{
+			cert = &ac->certificate;
+			id = ac->get_holderIssuer(ac);
+			if (id && id->equals(id, subject->get_issuer(subject)) &&
+				cert->get_validity(cert, NULL, NULL, NULL))
+			{
+				payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+				if (payload)
+				{
+					DBG1(DBG_IKE, "sending attribute certificate "
+						 "issued by \"%Y\"", cert->get_issuer(cert));
+					message->add_payload(message, (payload_t*)payload);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+		serial->destroy(serial);
+	}
+}
+
+/**
  * add certificates to message
  */
 static void build_certs(private_ike_cert_post_t *this, message_t *message)
 {
 	peer_cfg_t *peer_cfg;
 	auth_payload_t *payload;
+	auth_cfg_t *auth;
 
 	payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
@@ -130,46 +228,13 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 			}
 			/* FALL */
 		case CERT_ALWAYS_SEND:
-		{
-			cert_payload_t *payload;
-			enumerator_t *enumerator;
-			certificate_t *cert;
-			auth_rule_t type;
-			auth_cfg_t *auth;
-
 			auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-
-			/* get subject cert first, then issuing certificates */
-			cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-			if (!cert)
+			if (add_subject_cert(this, auth, message))
 			{
-				break;
+				add_im_certs(this, auth, message);
+				add_attribute_certs(this, auth, message);
 			}
-			payload = build_cert_payload(this, cert);
-			if (!payload)
-			{
-				break;
-			}
-			DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
-				 cert->get_subject(cert));
-			message->add_payload(message, (payload_t*)payload);
-
-			enumerator = auth->create_enumerator(auth);
-			while (enumerator->enumerate(enumerator, &type, &cert))
-			{
-				if (type == AUTH_RULE_IM_CERT)
-				{
-					payload = cert_payload_create_from_cert(CERTIFICATE, cert);
-					if (payload)
-					{
-						DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
-							 cert->get_subject(cert));
-						message->add_payload(message, (payload_t*)payload);
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
+			break;
 	}
 }
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index bd28b29d7..558b1e914 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -260,6 +260,30 @@ static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
 }
 
 /**
+ * Process an attribute certificate payload
+ */
+static void process_ac(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		if (cert->get_issuer(cert))
+		{
+			DBG1(DBG_IKE, "received attribute certificate issued by \"%Y\"",
+				 cert->get_issuer(cert));
+		}
+		else if (cert->get_subject(cert))
+		{
+			DBG1(DBG_IKE, "received attribute certificate for \"%Y\"",
+				 cert->get_subject(cert));
+		}
+		auth->add(auth, AUTH_HELPER_AC_CERT, cert);
+	}
+}
+
+/**
  * Process certificate payloads
  */
 static void process_certs(private_ike_cert_pre_t *this, message_t *message)
@@ -298,13 +322,15 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 				case ENC_CRL:
 					process_crl(cert_payload, auth);
 					break;
+				case ENC_X509_ATTRIBUTE:
+					process_ac(cert_payload, auth);
+					break;
 				case ENC_PKCS7_WRAPPED_X509:
 				case ENC_PGP:
 				case ENC_DNS_SIGNED_KEY:
 				case ENC_KERBEROS_TOKEN:
 				case ENC_ARL:
 				case ENC_SPKI:
-				case ENC_X509_ATTRIBUTE:
 				case ENC_RAW_RSA_KEY:
 				case ENC_X509_HASH_AND_URL_BUNDLE:
 				case ENC_OCSP_CONTENT:
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index dbfb9889b..f4405ae09 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index 5e0bf3f17..be3e36c48 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -430,7 +430,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index e762b7757..ed13f1eaa 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index a27fd57b1..c1788df94 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -242,10 +242,13 @@ static void load_entries(private_attr_provider_t *this)
 				{
 					if (family == AF_INET)
 					{	/* IPv4 attributes contain a subnet mask */
-						u_int32_t netmask;
+						u_int32_t netmask = 0;
 
-						mask = 32 - mask;
-						netmask = htonl((0xFFFFFFFF >> mask) << mask);
+						if (mask)
+						{	/* shifting u_int32_t by 32 or more is undefined */
+							mask = 32 - mask;
+							netmask = htonl((0xFFFFFFFF >> mask) << mask);
+						}
 						data = chunk_cat("cc", host->get_address(host),
 										 chunk_from_thing(netmask));
 					}
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 1d258f2fb..5d88c771e 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index c804c8e81..f20ceb44b 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index 5910cfd92..26cde7cbf 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 5d0e927de..658ec7bc9 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 8e01d2992..cdb09b106 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index a8a57a5a2..63c38bb7c 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -1576,16 +1576,20 @@ retry:
 		}
 		DBG1(DBG_KNL, "PF_ROUTE lookup failed: %s", strerror(errno));
 	}
-	if (!host)
+	if (nexthop)
 	{
-		return NULL;
+		host = host ?: dest->clone(dest);
 	}
-	if (!nexthop)
+	else
 	{	/* make sure the source address is not virtual and usable */
 		addr_entry_t *entry, lookup = {
 			.ip = host,
 		};
 
+		if (!host)
+		{
+			return NULL;
+		}
 		this->lock->read_lock(this->lock);
 		entry = this->addrs->get_match(this->addrs, &lookup,
 									(void*)addr_map_entry_match_up_and_usable);
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index 0e520f126..e76ba577d 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 4c8287b70..9d8d86358 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -450,7 +450,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 9d938b9b8..7f3bae813 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -204,6 +204,18 @@ INSERT INTO products (			/* 34 */
  'Android 4.4.2'
 );
 
+INSERT INTO products (			/* 35 */
+  name
+) VALUES (
+ 'Ubuntu 14.04 i686'
+);
+
+INSERT INTO products (			/* 36 */
+  name
+) VALUES (
+ 'Ubuntu 14.04 x86_64'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -729,6 +741,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  6, 35
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   7, 8
 );
 
@@ -777,6 +795,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  7, 36
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   3, 21
 );
 
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index bfb3f0022..7b25614f3 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -368,7 +368,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 3db0f2ba2..afcaf1ac3 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 64e1c271c..1c3065456 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -368,7 +368,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index 856ced897..044175029 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 748b9a72d..525f445ef 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 3c73e8f95..3724cc582 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 737edad3f..f1a099e2f 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -410,7 +410,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index 66e14f98b..5e58f66da 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -216,7 +216,8 @@ static bool create_aead(private_esp_context_t *this, int alg,
 		case ENCR_AES_GCM_ICV12:
 		case ENCR_AES_GCM_ICV16:
 			/* the key includes a 4 byte salt */
-			this->aead = lib->crypto->create_aead(lib->crypto, alg, key.len-4);
+			this->aead = lib->crypto->create_aead(lib->crypto, alg,
+												  key.len - 4, 4);
 			break;
 		default:
 			break;
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index 05c27d9cb..af5eafd7f 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -448,7 +448,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 7a539ef22..dd347d2d8 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c
index 467b998c8..c71b21666 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation.c
@@ -66,6 +66,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 							  TNC_Version max_version,
 							  TNC_Version *actual_version)
 {
+	bool mandatory_dh_groups;
+
 	if (imc_attestation)
 	{
 		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
@@ -78,8 +80,11 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		return TNC_RESULT_FATAL;
 	}
 
+	mandatory_dh_groups = lib->settings->get_bool(lib->settings,
+			"%s.plugins.imc-attestation.mandatory_dh_groups", TRUE, lib->ns);
+
 	if (!pts_meas_algo_probe(&supported_algorithms) ||
-		!pts_dh_group_probe(&supported_dh_groups))
+		!pts_dh_group_probe(&supported_dh_groups, mandatory_dh_groups))
 	{
 		imc_attestation->destroy(imc_attestation);
 		imc_attestation = NULL;
diff --git a/src/libpts/plugins/imc_swid/Makefile.in b/src/libpts/plugins/imc_swid/Makefile.in
index e1c932e45..58402636f 100644
--- a/src/libpts/plugins/imc_swid/Makefile.in
+++ b/src/libpts/plugins/imc_swid/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index c1c14d476..ff94363bf 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -382,7 +382,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index b8a6854cb..8f4df39e7 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -278,12 +278,14 @@ static void do_args(int argc, char *argv[])
 						exit(EXIT_FAILURE);
 					}
 				}
-				free(file);
 				free(dir);
+
 				if (!attest->set_file(attest, file, op == OP_ADD))
 				{
+					free(file);
 					exit(EXIT_FAILURE);
 				}
+				free(file);
 				continue;
 			}
 			case 'G':
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
index e8c3c5e40..ae2660bae 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -482,6 +482,22 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 							}
 						}
 
+						/* do TPM TRUSTED BOOT measurements */
+						if (strchr(workitem->get_arg_str(workitem), 'T'))
+						{
+							comp_name = pts_comp_func_name_create(PEN_ITA,
+											 PTS_ITA_COMP_FUNC_NAME_TBOOT,
+											PTS_ITA_QUALIFIER_FLAG_KERNEL |
+											PTS_ITA_QUALIFIER_TYPE_TRUSTED);
+							comp = attestation_state->create_component(
+											attestation_state, comp_name,
+											0, this->pts_db);
+							if (!comp)
+							{
+								comp_name->log(comp_name, "unregistered ");
+								comp_name->destroy(comp_name);
+							}
+						}
 						attestation_state->set_handshake_state(attestation_state,
 											IMV_ATTESTATION_STATE_NONCE_REQ);
 						continue;
@@ -706,6 +722,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
 	private_imv_attestation_agent_t *this;
 	imv_agent_t *agent;
 	char *hash_alg, *dh_group, *cadir;
+	bool mandatory_dh_groups;
 
 	agent = imv_agent_create(name, msg_types, countof(msg_types), id,
 							 actual_version);
@@ -718,6 +735,8 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
 				"%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns);
 	dh_group = lib->settings->get_str(lib->settings,
 				"%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns);
+	mandatory_dh_groups = lib->settings->get_bool(lib->settings,
+				"%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns);
 	cadir = lib->settings->get_str(lib->settings,
 				"%s.plugins.imv-attestation.cadir", NULL, lib->ns);
 
@@ -742,7 +761,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
 	libpts_init();
 
 	if (!pts_meas_algo_probe(&this->supported_algorithms) ||
-		!pts_dh_group_probe(&this->supported_dh_groups) ||
+		!pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) ||
 		!pts_meas_algo_update(hash_alg, &this->supported_algorithms) ||
 		!pts_dh_group_update(dh_group, &this->supported_dh_groups))
 	{
diff --git a/src/libpts/plugins/imv_swid/Makefile.in b/src/libpts/plugins/imv_swid/Makefile.in
index b92f7d4d0..f9bd93ce0 100644
--- a/src/libpts/plugins/imv_swid/Makefile.in
+++ b/src/libpts/plugins/imv_swid/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index 8699282f0..3ab9b92e6 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -393,7 +393,7 @@ static void load_aik_blob(private_pts_t *this)
 		fseek(fp, 0L, SEEK_SET);
 
 		this->aik_blob = chunk_alloc(aikBlobLen);
-		if (fread(this->aik_blob.ptr, 1, aikBlobLen, fp))
+		if (fread(this->aik_blob.ptr, 1, aikBlobLen, fp) == aikBlobLen)
 		{
 			DBG2(DBG_PTS, "loaded AIK Blob from '%s'", blob_path);
 			DBG3(DBG_PTS, "AIK Blob: %B", &this->aik_blob);
@@ -401,6 +401,7 @@ static void load_aik_blob(private_pts_t *this)
 		else
 		{
 			DBG1(DBG_PTS, "unable to read AIK Blob file '%s'", blob_path);
+			chunk_free(&this->aik_blob);
 		}
 		fclose(fp);
 		return;
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index 07e8ae1da..fda644a6a 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -280,20 +280,17 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 				DB_TEXT, dir, DB_INT);
 		if (!e)
 		{
-			free(file);
-			free(dir);
-			return FAILED;
+			status = FAILED;
+			goto err;
 		}
 		dir_found = e->enumerate(e, &did);
 		e->destroy(e);
 
 		if (!dir_found)
 		{
-			free(file);
-			free(dir);
-			return NOT_FOUND;
+			status = NOT_FOUND;
+			goto err;
 		}
-
 		e = this->db->query(this->db,
 				"SELECT fh.hash FROM file_hashes AS fh "
 				"JOIN files AS f ON f.id = fh.file "
@@ -302,12 +299,10 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 				DB_TEXT, product, DB_INT, did, DB_TEXT, file, DB_INT, algo,
 				DB_BLOB);
 	}
-	free(file);
-	free(dir);
-
 	if (!e)
 	{
-		return FAILED;
+		status = FAILED;
+		goto err;
 	}
 	while (e->enumerate(e, &hash))
 	{
@@ -324,6 +319,10 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 	}
 	e->destroy(e);
 
+err:
+	free(file);
+	free(dir);
+
 	return status;
 }
 
diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c
index 41a436036..305b4ec4f 100644
--- a/src/libpts/pts/pts_dh_group.c
+++ b/src/libpts/pts/pts_dh_group.c
@@ -20,7 +20,7 @@
 /**
  * Described in header.
  */
-bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
+bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups)
 {
 	enumerator_t *enumerator;
 	diffie_hellman_group_t dh_group;
@@ -68,14 +68,23 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
 
 	if (*dh_groups & PTS_DH_GROUP_IKE19)
 	{
+		/* mandatory PTS DH group is available */
 		return TRUE;
 	}
-	else
+	if (*dh_groups == PTS_DH_GROUP_NONE)
+	{
+		DBG1(DBG_PTS, "no PTS DH group available");
+		return FALSE;
+	}
+	if (mandatory_dh_groups)
 	{
 		DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
 											ECP_256_BIT);
+		return FALSE;
 	}
-	return FALSE;
+
+	/* at least one optional PTS DH group is available */
+	return TRUE;
 }
 
 /**
diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h
index 2aab90263..f5d951e9a 100644
--- a/src/libpts/pts/pts_dh_group.h
+++ b/src/libpts/pts/pts_dh_group.h
@@ -59,10 +59,13 @@ enum pts_dh_group_t {
 /**
  * Probe available PTS Diffie-Hellman groups
  *
- * @param dh_groups			returns set of available DH groups
- * @return					TRUE if mandatory DH groups are available
+ * @param dh_groups				returns set of available DH groups
+ * @param mandatory_dh_groups	if TRUE enforce mandatory PTS DH groups
+ * @return						TRUE if mandatory DH groups are available
+ *								or at least one optional DH group if 
+ *								mandatory_dh_groups is set to FALSE.
  */
-bool pts_dh_group_probe(pts_dh_group_t *dh_groups);
+bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups);
 
 /**
  * Update supported Diffie-Hellman groups according to configuration
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index c827cb598..788c8caca 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index 01a84cd14..315129d7e 100644
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -84,7 +84,8 @@ static bool make_connection(private_pt_tls_client_t *this)
 		return FALSE;
 	}
 
-	this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL);
+	this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
+								  NULL, TLS_1_2, FALSE);
 	if (!this->tls)
 	{
 		close(fd);
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index 9af00e7c2..cedc2632c 100644
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -532,7 +532,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
 			.destroy = _destroy,
 		},
 		.state = PT_TLS_SERVER_VERSION,
-		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
+		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE),
 		.tnccs = (tls_t*)tnccs,
 		.auth = auth,
 	);
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index d903de883..6e687a310 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index ee824abdb..cb27f0535 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 440913071..2b58db554 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -20,7 +20,7 @@ credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
-credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
+credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index b3a4eda99..3462d2ffc 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -18,7 +18,7 @@ credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
-credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
+credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
@@ -61,7 +61,6 @@ credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
 credentials/containers/container.h credentials/containers/pkcs7.h \
 credentials/containers/pkcs12.h \
-credentials/ietf_attributes/ietf_attributes.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
 credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
@@ -308,6 +307,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_ACERT
+  SUBDIRS += plugins/acert
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/acert/libstrongswan-acert.la
+endif
+endif
+
 if USE_PUBKEY
   SUBDIRS += plugins/pubkey
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 64396b51f..af5ea402b 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -128,60 +128,62 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_47 = plugins/revocation/libstrongswan-revocation.la
 @USE_CONSTRAINTS_TRUE@am__append_48 = plugins/constraints
 @MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_49 = plugins/constraints/libstrongswan-constraints.la
-@USE_PUBKEY_TRUE@am__append_50 = plugins/pubkey
-@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_51 = plugins/pubkey/libstrongswan-pubkey.la
-@USE_PKCS1_TRUE@am__append_52 = plugins/pkcs1
-@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_53 = plugins/pkcs1/libstrongswan-pkcs1.la
-@USE_PKCS7_TRUE@am__append_54 = plugins/pkcs7
-@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_55 = plugins/pkcs7/libstrongswan-pkcs7.la
-@USE_PKCS8_TRUE@am__append_56 = plugins/pkcs8
-@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_57 = plugins/pkcs8/libstrongswan-pkcs8.la
-@USE_PKCS12_TRUE@am__append_58 = plugins/pkcs12
-@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_59 = plugins/pkcs12/libstrongswan-pkcs12.la
-@USE_PGP_TRUE@am__append_60 = plugins/pgp
-@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_61 = plugins/pgp/libstrongswan-pgp.la
-@USE_DNSKEY_TRUE@am__append_62 = plugins/dnskey
-@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_63 = plugins/dnskey/libstrongswan-dnskey.la
-@USE_SSHKEY_TRUE@am__append_64 = plugins/sshkey
-@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_65 = plugins/sshkey/libstrongswan-sshkey.la
-@USE_PEM_TRUE@am__append_66 = plugins/pem
-@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_67 = plugins/pem/libstrongswan-pem.la
-@USE_CURL_TRUE@am__append_68 = plugins/curl
-@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_69 = plugins/curl/libstrongswan-curl.la
-@USE_UNBOUND_TRUE@am__append_70 = plugins/unbound
-@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_71 = plugins/unbound/libstrongswan-unbound.la
-@USE_SOUP_TRUE@am__append_72 = plugins/soup
-@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_73 = plugins/soup/libstrongswan-soup.la
-@USE_LDAP_TRUE@am__append_74 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_75 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_76 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_77 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_78 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_79 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_80 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_81 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_82 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_83 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_84 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_85 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_86 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_87 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_88 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_89 = plugins/agent/libstrongswan-agent.la
-@USE_KEYCHAIN_TRUE@am__append_90 = plugins/keychain
-@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_91 = plugins/keychain/libstrongswan-keychain.la
-@USE_PKCS11_TRUE@am__append_92 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_93 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_94 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_95 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_96 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_97 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_98 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_99 = plugins/gcm/libstrongswan-gcm.la
-@USE_NTRU_TRUE@am__append_100 = plugins/ntru
-@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_101 = plugins/ntru/libstrongswan-ntru.la
-@USE_TEST_VECTORS_TRUE@am__append_102 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_103 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_ACERT_TRUE@am__append_50 = plugins/acert
+@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_51 = plugins/acert/libstrongswan-acert.la
+@USE_PUBKEY_TRUE@am__append_52 = plugins/pubkey
+@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_53 = plugins/pubkey/libstrongswan-pubkey.la
+@USE_PKCS1_TRUE@am__append_54 = plugins/pkcs1
+@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_55 = plugins/pkcs1/libstrongswan-pkcs1.la
+@USE_PKCS7_TRUE@am__append_56 = plugins/pkcs7
+@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_57 = plugins/pkcs7/libstrongswan-pkcs7.la
+@USE_PKCS8_TRUE@am__append_58 = plugins/pkcs8
+@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_59 = plugins/pkcs8/libstrongswan-pkcs8.la
+@USE_PKCS12_TRUE@am__append_60 = plugins/pkcs12
+@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_61 = plugins/pkcs12/libstrongswan-pkcs12.la
+@USE_PGP_TRUE@am__append_62 = plugins/pgp
+@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_63 = plugins/pgp/libstrongswan-pgp.la
+@USE_DNSKEY_TRUE@am__append_64 = plugins/dnskey
+@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_65 = plugins/dnskey/libstrongswan-dnskey.la
+@USE_SSHKEY_TRUE@am__append_66 = plugins/sshkey
+@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_67 = plugins/sshkey/libstrongswan-sshkey.la
+@USE_PEM_TRUE@am__append_68 = plugins/pem
+@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_69 = plugins/pem/libstrongswan-pem.la
+@USE_CURL_TRUE@am__append_70 = plugins/curl
+@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_71 = plugins/curl/libstrongswan-curl.la
+@USE_UNBOUND_TRUE@am__append_72 = plugins/unbound
+@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_73 = plugins/unbound/libstrongswan-unbound.la
+@USE_SOUP_TRUE@am__append_74 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_75 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_76 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_77 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_78 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_79 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_80 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_81 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_82 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_83 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_84 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_85 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_86 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_87 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_88 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_89 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_90 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_91 = plugins/agent/libstrongswan-agent.la
+@USE_KEYCHAIN_TRUE@am__append_92 = plugins/keychain
+@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_93 = plugins/keychain/libstrongswan-keychain.la
+@USE_PKCS11_TRUE@am__append_94 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_95 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_96 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_97 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_98 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_99 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_100 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_101 = plugins/gcm/libstrongswan-gcm.la
+@USE_NTRU_TRUE@am__append_102 = plugins/ntru
+@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_103 = plugins/ntru/libstrongswan-ntru.la
+@USE_TEST_VECTORS_TRUE@am__append_104 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_105 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp \
@@ -254,7 +256,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_83) $(am__append_85) $(am__append_87) \
 	$(am__append_89) $(am__append_91) $(am__append_93) \
 	$(am__append_95) $(am__append_97) $(am__append_99) \
-	$(am__append_101) $(am__append_103)
+	$(am__append_101) $(am__append_103) $(am__append_105)
 am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
 	bio/bio_writer.c collections/blocking_queue.c \
@@ -277,7 +279,6 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	credentials/certificates/ocsp_response.c \
 	credentials/containers/container.c \
 	credentials/containers/pkcs12.c \
-	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/credential_manager.c \
 	credentials/sets/auth_cfg_wrapper.c \
 	credentials/sets/ocsp_response_wrapper.c \
@@ -332,7 +333,6 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
 	credentials/certificates/ocsp_response.lo \
 	credentials/containers/container.lo \
 	credentials/containers/pkcs12.lo \
-	credentials/ietf_attributes/ietf_attributes.lo \
 	credentials/credential_manager.lo \
 	credentials/sets/auth_cfg_wrapper.lo \
 	credentials/sets/ocsp_response_wrapper.lo \
@@ -438,7 +438,6 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	credentials/certificates/pgp_certificate.h \
 	credentials/containers/container.h \
 	credentials/containers/pkcs7.h credentials/containers/pkcs12.h \
-	credentials/ietf_attributes/ietf_attributes.h \
 	credentials/credential_manager.h \
 	credentials/sets/auth_cfg_wrapper.h \
 	credentials/sets/ocsp_response_wrapper.h \
@@ -502,11 +501,11 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
 	plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \
 	plugins/random plugins/nonce plugins/hmac plugins/cmac \
 	plugins/xcbc plugins/x509 plugins/revocation \
-	plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pkcs7 \
-	plugins/pkcs8 plugins/pkcs12 plugins/pgp plugins/dnskey \
-	plugins/sshkey plugins/pem plugins/curl plugins/unbound \
-	plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
-	plugins/padlock plugins/openssl plugins/gcrypt \
+	plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \
+	plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \
+	plugins/dnskey plugins/sshkey plugins/pem plugins/curl \
+	plugins/unbound plugins/soup plugins/ldap plugins/mysql \
+	plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
 	plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
 	plugins/ctr plugins/ccm plugins/gcm plugins/ntru \
 	plugins/test_vectors tests
@@ -705,7 +704,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -767,7 +765,6 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	credentials/certificates/ocsp_response.c \
 	credentials/containers/container.c \
 	credentials/containers/pkcs12.c \
-	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/credential_manager.c \
 	credentials/sets/auth_cfg_wrapper.c \
 	credentials/sets/ocsp_response_wrapper.c \
@@ -816,7 +813,6 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \
 @USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \
 @USE_DEV_HEADERS_TRUE@credentials/containers/pkcs12.h \
-@USE_DEV_HEADERS_TRUE@credentials/ietf_attributes/ietf_attributes.h \
 @USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 @USE_DEV_HEADERS_TRUE@credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
 @USE_DEV_HEADERS_TRUE@credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
@@ -858,7 +854,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_81) $(am__append_83) $(am__append_85) \
 	$(am__append_87) $(am__append_89) $(am__append_91) \
 	$(am__append_93) $(am__append_95) $(am__append_97) \
-	$(am__append_99) $(am__append_101) $(am__append_103)
+	$(am__append_99) $(am__append_101) $(am__append_103) \
+	$(am__append_105)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
 	-DPLUGINDIR=\"${plugindir}\" \
@@ -905,7 +902,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_88) $(am__append_90) \
 @MONOLITHIC_FALSE@	$(am__append_92) $(am__append_94) \
 @MONOLITHIC_FALSE@	$(am__append_96) $(am__append_98) \
-@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) tests
+@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) \
+@MONOLITHIC_FALSE@	$(am__append_104) tests
 
 # build plugins with their own Makefile
 #######################################
@@ -931,7 +929,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_88) $(am__append_90) \
 @MONOLITHIC_TRUE@	$(am__append_92) $(am__append_94) \
 @MONOLITHIC_TRUE@	$(am__append_96) $(am__append_98) \
-@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) . tests
+@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) \
+@MONOLITHIC_TRUE@	$(am__append_104) . tests
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -1172,15 +1171,6 @@ credentials/containers/container.lo:  \
 credentials/containers/pkcs12.lo:  \
 	credentials/containers/$(am__dirstamp) \
 	credentials/containers/$(DEPDIR)/$(am__dirstamp)
-credentials/ietf_attributes/$(am__dirstamp):
-	@$(MKDIR_P) credentials/ietf_attributes
-	@: > credentials/ietf_attributes/$(am__dirstamp)
-credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp):
-	@$(MKDIR_P) credentials/ietf_attributes/$(DEPDIR)
-	@: > credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp)
-credentials/ietf_attributes/ietf_attributes.lo:  \
-	credentials/ietf_attributes/$(am__dirstamp) \
-	credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp)
 credentials/credential_manager.lo: credentials/$(am__dirstamp) \
 	credentials/$(DEPDIR)/$(am__dirstamp)
 credentials/sets/$(am__dirstamp):
@@ -1409,8 +1399,6 @@ mostlyclean-compile:
 	-rm -f credentials/certificates/*.lo
 	-rm -f credentials/containers/*.$(OBJEXT)
 	-rm -f credentials/containers/*.lo
-	-rm -f credentials/ietf_attributes/*.$(OBJEXT)
-	-rm -f credentials/ietf_attributes/*.lo
 	-rm -f credentials/keys/*.$(OBJEXT)
 	-rm -f credentials/keys/*.lo
 	-rm -f credentials/sets/*.$(OBJEXT)
@@ -1488,7 +1476,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/ocsp_response.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/container.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/pkcs12.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@credentials/ietf_attributes/$(DEPDIR)/ietf_attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/private_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/shared_key.Plo@am__quote@
@@ -1598,7 +1585,6 @@ clean-libtool:
 	-rm -rf credentials/.libs credentials/_libs
 	-rm -rf credentials/certificates/.libs credentials/certificates/_libs
 	-rm -rf credentials/containers/.libs credentials/containers/_libs
-	-rm -rf credentials/ietf_attributes/.libs credentials/ietf_attributes/_libs
 	-rm -rf credentials/keys/.libs credentials/keys/_libs
 	-rm -rf credentials/sets/.libs credentials/sets/_libs
 	-rm -rf crypto/.libs crypto/_libs
@@ -1852,8 +1838,6 @@ distclean-generic:
 	-rm -f credentials/certificates/$(am__dirstamp)
 	-rm -f credentials/containers/$(DEPDIR)/$(am__dirstamp)
 	-rm -f credentials/containers/$(am__dirstamp)
-	-rm -f credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp)
-	-rm -f credentials/ietf_attributes/$(am__dirstamp)
 	-rm -f credentials/keys/$(DEPDIR)/$(am__dirstamp)
 	-rm -f credentials/keys/$(am__dirstamp)
 	-rm -f credentials/sets/$(DEPDIR)/$(am__dirstamp)
@@ -1918,7 +1902,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
 	mostlyclean-am
 
 distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -1965,7 +1949,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 6fa8f4e54..b479b0f4b 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -199,243 +199,268 @@ const oid_t oid_names[] = {
  {              0x02,         187, 0,  7, "ecdsa-with-SHA256"              }, /* 186 */
  {              0x03,         188, 0,  7, "ecdsa-with-SHA384"              }, /* 187 */
  {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 188 */
- {0x2B,                       372, 1,  0, ""                               }, /* 189 */
- {  0x06,                     286, 1,  1, "dod"                            }, /* 190 */
+ {0x2B,                       391, 1,  0, ""                               }, /* 189 */
+ {  0x06,                     305, 1,  1, "dod"                            }, /* 190 */
  {    0x01,                     0, 1,  2, "internet"                       }, /* 191 */
- {      0x04,                 237, 1,  3, "private"                        }, /* 192 */
+ {      0x04,                 256, 1,  3, "private"                        }, /* 192 */
  {        0x01,                 0, 1,  4, "enterprise"                     }, /* 193 */
- {          0x82,             207, 1,  5, ""                               }, /* 194 */
- {            0x37,           204, 1,  6, "Microsoft"                      }, /* 195 */
+ {          0x82,             210, 1,  5, ""                               }, /* 194 */
+ {            0x37,           207, 1,  6, "Microsoft"                      }, /* 195 */
  {              0x0A,         200, 1,  7, ""                               }, /* 196 */
  {                0x03,         0, 1,  8, ""                               }, /* 197 */
  {                  0x03,     199, 0,  9, "msSGC"                          }, /* 198 */
  {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 199 */
- {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"     }, /* 200 */
+ {              0x14,         204, 1,  7, "msEnrollmentInfrastructure"     }, /* 200 */
  {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 201 */
  {                  0x02,     203, 0,  9, "msSmartcardLogon"               }, /* 202 */
  {                  0x03,       0, 0,  9, "msUPN"                          }, /* 203 */
- {            0xA0,             0, 1,  6, ""                               }, /* 204 */
- {              0x2A,           0, 1,  7, "ITA"                            }, /* 205 */
- {                0x01,         0, 0,  8, "strongSwan"                     }, /* 206 */
- {          0x89,             214, 1,  5, ""                               }, /* 207 */
- {            0x31,             0, 1,  6, ""                               }, /* 208 */
- {              0x01,           0, 1,  7, ""                               }, /* 209 */
- {                0x01,         0, 1,  8, ""                               }, /* 210 */
- {                  0x02,       0, 1,  9, ""                               }, /* 211 */
- {                    0x02,     0, 1, 10, ""                               }, /* 212 */
- {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 213 */
- {          0xc1,               0, 1,  5, ""                               }, /* 214 */
- {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 215 */
- {              0x01,           0, 1,  7, "eess"                           }, /* 216 */
- {                0x01,         0, 1,  8, "eess1"                          }, /* 217 */
- {                  0x01,     222, 1,  9, "eess1-algs"                     }, /* 218 */
- {                    0x01,   220, 0, 10, "ntru-EESS1v1-SVES"              }, /* 219 */
- {                    0x02,   221, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 220 */
- {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 221 */
- {                  0x02,     236, 1,  9, "eess1-params"                   }, /* 222 */
- {                    0x01,   224, 0, 10, "ees251ep1"                      }, /* 223 */
- {                    0x02,   225, 0, 10, "ees347ep1"                      }, /* 224 */
- {                    0x03,   226, 0, 10, "ees503ep1"                      }, /* 225 */
- {                    0x07,   227, 0, 10, "ees251sp2"                      }, /* 226 */
- {                    0x0C,   228, 0, 10, "ees251ep4"                      }, /* 227 */
- {                    0x0D,   229, 0, 10, "ees251ep5"                      }, /* 228 */
- {                    0x0E,   230, 0, 10, "ees251sp3"                      }, /* 229 */
- {                    0x0F,   231, 0, 10, "ees251sp4"                      }, /* 230 */
- {                    0x10,   232, 0, 10, "ees251sp5"                      }, /* 231 */
- {                    0x11,   233, 0, 10, "ees251sp6"                      }, /* 232 */
- {                    0x12,   234, 0, 10, "ees251sp7"                      }, /* 233 */
- {                    0x13,   235, 0, 10, "ees251sp8"                      }, /* 234 */
- {                    0x14,     0, 0, 10, "ees251sp9"                      }, /* 235 */
- {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 236 */
- {      0x05,                   0, 1,  3, "security"                       }, /* 237 */
- {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 238 */
- {          0x07,             283, 1,  5, "id-pkix"                        }, /* 239 */
- {            0x01,           244, 1,  6, "id-pe"                          }, /* 240 */
- {              0x01,         242, 0,  7, "authorityInfoAccess"            }, /* 241 */
- {              0x03,         243, 0,  7, "qcStatements"                   }, /* 242 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 243 */
- {            0x02,           247, 1,  6, "id-qt"                          }, /* 244 */
- {              0x01,         246, 0,  7, "cps"                            }, /* 245 */
- {              0x02,           0, 0,  7, "unotice"                        }, /* 246 */
- {            0x03,           257, 1,  6, "id-kp"                          }, /* 247 */
- {              0x01,         249, 0,  7, "serverAuth"                     }, /* 248 */
- {              0x02,         250, 0,  7, "clientAuth"                     }, /* 249 */
- {              0x03,         251, 0,  7, "codeSigning"                    }, /* 250 */
- {              0x04,         252, 0,  7, "emailProtection"                }, /* 251 */
- {              0x05,         253, 0,  7, "ipsecEndSystem"                 }, /* 252 */
- {              0x06,         254, 0,  7, "ipsecTunnel"                    }, /* 253 */
- {              0x07,         255, 0,  7, "ipsecUser"                      }, /* 254 */
- {              0x08,         256, 0,  7, "timeStamping"                   }, /* 255 */
- {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 256 */
- {            0x08,           265, 1,  6, "id-otherNames"                  }, /* 257 */
- {              0x01,         259, 0,  7, "personalData"                   }, /* 258 */
- {              0x02,         260, 0,  7, "userGroup"                      }, /* 259 */
- {              0x03,         261, 0,  7, "id-on-permanentIdentifier"      }, /* 260 */
- {              0x04,         262, 0,  7, "id-on-hardwareModuleName"       }, /* 261 */
- {              0x05,         263, 0,  7, "xmppAddr"                       }, /* 262 */
- {              0x06,         264, 0,  7, "id-on-SIM"                      }, /* 263 */
- {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 264 */
- {            0x0A,           270, 1,  6, "id-aca"                         }, /* 265 */
- {              0x01,         267, 0,  7, "authenticationInfo"             }, /* 266 */
- {              0x02,         268, 0,  7, "accessIdentity"                 }, /* 267 */
- {              0x03,         269, 0,  7, "chargingIdentity"               }, /* 268 */
- {              0x04,           0, 0,  7, "group"                          }, /* 269 */
- {            0x0B,           271, 0,  6, "subjectInfoAccess"              }, /* 270 */
- {            0x30,             0, 1,  6, "id-ad"                          }, /* 271 */
- {              0x01,         280, 1,  7, "ocsp"                           }, /* 272 */
- {                0x01,       274, 0,  8, "basic"                          }, /* 273 */
- {                0x02,       275, 0,  8, "nonce"                          }, /* 274 */
- {                0x03,       276, 0,  8, "crl"                            }, /* 275 */
- {                0x04,       277, 0,  8, "response"                       }, /* 276 */
- {                0x05,       278, 0,  8, "noCheck"                        }, /* 277 */
- {                0x06,       279, 0,  8, "archiveCutoff"                  }, /* 278 */
- {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 279 */
- {              0x02,         281, 0,  7, "caIssuers"                      }, /* 280 */
- {              0x03,         282, 0,  7, "timeStamping"                   }, /* 281 */
- {              0x05,           0, 0,  7, "caRepository"                   }, /* 282 */
- {          0x08,               0, 1,  5, "ipsec"                          }, /* 283 */
- {            0x02,             0, 1,  6, "certificate"                    }, /* 284 */
- {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 285 */
- {  0x0E,                     292, 1,  1, "oiw"                            }, /* 286 */
- {    0x03,                     0, 1,  2, "secsig"                         }, /* 287 */
- {      0x02,                   0, 1,  3, "algorithms"                     }, /* 288 */
- {        0x07,               290, 0,  4, "des-cbc"                        }, /* 289 */
- {        0x1A,               291, 0,  4, "sha-1"                          }, /* 290 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 291 */
- {  0x24,                     338, 1,  1, "TeleTrusT"                      }, /* 292 */
- {    0x03,                     0, 1,  2, "algorithm"                      }, /* 293 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 294 */
- {        0x01,               299, 1,  4, "rsaSignature"                   }, /* 295 */
- {          0x02,             297, 0,  5, "rsaSigWithripemd160"            }, /* 296 */
- {          0x03,             298, 0,  5, "rsaSigWithripemd128"            }, /* 297 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 298 */
- {        0x02,                 0, 1,  4, "ecSign"                         }, /* 299 */
- {          0x01,             301, 0,  5, "ecSignWithsha1"                 }, /* 300 */
- {          0x02,             302, 0,  5, "ecSignWithripemd160"            }, /* 301 */
- {          0x03,             303, 0,  5, "ecSignWithmd2"                  }, /* 302 */
- {          0x04,             304, 0,  5, "ecSignWithmd5"                  }, /* 303 */
- {          0x05,             321, 1,  5, "ttt-ecg"                        }, /* 304 */
- {            0x01,           309, 1,  6, "fieldType"                      }, /* 305 */
- {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 306 */
- {                0x01,         0, 1,  8, "basisType"                      }, /* 307 */
- {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 308 */
- {            0x02,           311, 1,  6, "keyType"                        }, /* 309 */
- {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 310 */
- {            0x03,           312, 0,  6, "curve"                          }, /* 311 */
- {            0x04,           319, 1,  6, "signatures"                     }, /* 312 */
- {              0x01,         314, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 313 */
- {              0x02,         315, 0,  7, "ecgdsa-with-SHA1"               }, /* 314 */
- {              0x03,         316, 0,  7, "ecgdsa-with-SHA224"             }, /* 315 */
- {              0x04,         317, 0,  7, "ecgdsa-with-SHA256"             }, /* 316 */
- {              0x05,         318, 0,  7, "ecgdsa-with-SHA384"             }, /* 317 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 318 */
- {            0x05,             0, 1,  6, "module"                         }, /* 319 */
- {              0x01,           0, 0,  7, "1"                              }, /* 320 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 321 */
- {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 322 */
- {              0x01,           0, 1,  7, "versionOne"                     }, /* 323 */
- {                0x01,       325, 0,  8, "brainpoolP160r1"                }, /* 324 */
- {                0x02,       326, 0,  8, "brainpoolP160t1"                }, /* 325 */
- {                0x03,       327, 0,  8, "brainpoolP192r1"                }, /* 326 */
- {                0x04,       328, 0,  8, "brainpoolP192t1"                }, /* 327 */
- {                0x05,       329, 0,  8, "brainpoolP224r1"                }, /* 328 */
- {                0x06,       330, 0,  8, "brainpoolP224t1"                }, /* 329 */
- {                0x07,       331, 0,  8, "brainpoolP256r1"                }, /* 330 */
- {                0x08,       332, 0,  8, "brainpoolP256t1"                }, /* 331 */
- {                0x09,       333, 0,  8, "brainpoolP320r1"                }, /* 332 */
- {                0x0A,       334, 0,  8, "brainpoolP320t1"                }, /* 333 */
- {                0x0B,       335, 0,  8, "brainpoolP384r1"                }, /* 334 */
- {                0x0C,       336, 0,  8, "brainpoolP384t1"                }, /* 335 */
- {                0x0D,       337, 0,  8, "brainpoolP512r1"                }, /* 336 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 337 */
- {  0x81,                       0, 1,  1, ""                               }, /* 338 */
- {    0x04,                     0, 1,  2, "Certicom"                       }, /* 339 */
- {      0x00,                   0, 1,  3, "curve"                          }, /* 340 */
- {        0x01,               342, 0,  4, "sect163k1"                      }, /* 341 */
- {        0x02,               343, 0,  4, "sect163r1"                      }, /* 342 */
- {        0x03,               344, 0,  4, "sect239k1"                      }, /* 343 */
- {        0x04,               345, 0,  4, "sect113r1"                      }, /* 344 */
- {        0x05,               346, 0,  4, "sect113r2"                      }, /* 345 */
- {        0x06,               347, 0,  4, "secp112r1"                      }, /* 346 */
- {        0x07,               348, 0,  4, "secp112r2"                      }, /* 347 */
- {        0x08,               349, 0,  4, "secp160r1"                      }, /* 348 */
- {        0x09,               350, 0,  4, "secp160k1"                      }, /* 349 */
- {        0x0A,               351, 0,  4, "secp256k1"                      }, /* 350 */
- {        0x0F,               352, 0,  4, "sect163r2"                      }, /* 351 */
- {        0x10,               353, 0,  4, "sect283k1"                      }, /* 352 */
- {        0x11,               354, 0,  4, "sect283r1"                      }, /* 353 */
- {        0x16,               355, 0,  4, "sect131r1"                      }, /* 354 */
- {        0x17,               356, 0,  4, "sect131r2"                      }, /* 355 */
- {        0x18,               357, 0,  4, "sect193r1"                      }, /* 356 */
- {        0x19,               358, 0,  4, "sect193r2"                      }, /* 357 */
- {        0x1A,               359, 0,  4, "sect233k1"                      }, /* 358 */
- {        0x1B,               360, 0,  4, "sect233r1"                      }, /* 359 */
- {        0x1C,               361, 0,  4, "secp128r1"                      }, /* 360 */
- {        0x1D,               362, 0,  4, "secp128r2"                      }, /* 361 */
- {        0x1E,               363, 0,  4, "secp160r2"                      }, /* 362 */
- {        0x1F,               364, 0,  4, "secp192k1"                      }, /* 363 */
- {        0x20,               365, 0,  4, "secp224k1"                      }, /* 364 */
- {        0x21,               366, 0,  4, "secp224r1"                      }, /* 365 */
- {        0x22,               367, 0,  4, "secp384r1"                      }, /* 366 */
- {        0x23,               368, 0,  4, "secp521r1"                      }, /* 367 */
- {        0x24,               369, 0,  4, "sect409k1"                      }, /* 368 */
- {        0x25,               370, 0,  4, "sect409r1"                      }, /* 369 */
- {        0x26,               371, 0,  4, "sect571k1"                      }, /* 370 */
- {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 371 */
- {0x60,                       420, 1,  0, ""                               }, /* 372 */
- {  0x86,                       0, 1,  1, ""                               }, /* 373 */
- {    0x48,                     0, 1,  2, ""                               }, /* 374 */
- {      0x01,                   0, 1,  3, "organization"                   }, /* 375 */
- {        0x65,               396, 1,  4, "gov"                            }, /* 376 */
- {          0x03,               0, 1,  5, "csor"                           }, /* 377 */
- {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 378 */
- {              0x01,         389, 1,  7, "aes"                            }, /* 379 */
- {                0x02,       381, 0,  8, "id-aes128-CBC"                  }, /* 380 */
- {                0x06,       382, 0,  8, "id-aes128-GCM"                  }, /* 381 */
- {                0x07,       383, 0,  8, "id-aes128-CCM"                  }, /* 382 */
- {                0x16,       384, 0,  8, "id-aes192-CBC"                  }, /* 383 */
- {                0x1A,       385, 0,  8, "id-aes192-GCM"                  }, /* 384 */
- {                0x1B,       386, 0,  8, "id-aes192-CCM"                  }, /* 385 */
- {                0x2A,       387, 0,  8, "id-aes256-CBC"                  }, /* 386 */
- {                0x2E,       388, 0,  8, "id-aes256-GCM"                  }, /* 387 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 388 */
- {              0x02,           0, 1,  7, "hashalgs"                       }, /* 389 */
- {                0x01,       391, 0,  8, "id-SHA-256"                     }, /* 390 */
- {                0x02,       392, 0,  8, "id-SHA-384"                     }, /* 391 */
- {                0x03,       393, 0,  8, "id-SHA-512"                     }, /* 392 */
- {                0x04,       394, 0,  8, "id-SHA-224"                     }, /* 393 */
- {                0x05,       395, 0,  8, "id-SHA-512-224"                 }, /* 394 */
- {                0x06,         0, 0,  8, "id-SHA-512-256"                 }, /* 395 */
- {        0x86,                 0, 1,  4, ""                               }, /* 396 */
- {          0xf8,               0, 1,  5, ""                               }, /* 397 */
- {            0x42,           410, 1,  6, "netscape"                       }, /* 398 */
- {              0x01,         405, 1,  7, ""                               }, /* 399 */
- {                0x01,       401, 0,  8, "nsCertType"                     }, /* 400 */
- {                0x03,       402, 0,  8, "nsRevocationUrl"                }, /* 401 */
- {                0x04,       403, 0,  8, "nsCaRevocationUrl"              }, /* 402 */
- {                0x08,       404, 0,  8, "nsCaPolicyUrl"                  }, /* 403 */
- {                0x0d,         0, 0,  8, "nsComment"                      }, /* 404 */
- {              0x03,         408, 1,  7, "directory"                      }, /* 405 */
- {                0x01,         0, 1,  8, ""                               }, /* 406 */
- {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 407 */
- {              0x04,           0, 1,  7, "policy"                         }, /* 408 */
- {                0x01,         0, 0,  8, "nsSGC"                          }, /* 409 */
- {            0x45,             0, 1,  6, "verisign"                       }, /* 410 */
- {              0x01,           0, 1,  7, "pki"                            }, /* 411 */
- {                0x09,         0, 1,  8, "attributes"                     }, /* 412 */
- {                  0x02,     414, 0,  9, "messageType"                    }, /* 413 */
- {                  0x03,     415, 0,  9, "pkiStatus"                      }, /* 414 */
- {                  0x04,     416, 0,  9, "failInfo"                       }, /* 415 */
- {                  0x05,     417, 0,  9, "senderNonce"                    }, /* 416 */
- {                  0x06,     418, 0,  9, "recipientNonce"                 }, /* 417 */
- {                  0x07,     419, 0,  9, "transID"                        }, /* 418 */
- {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 419 */
- {0x67,                         0, 1,  0, ""                               }, /* 420 */
- {  0x81,                       0, 1,  1, ""                               }, /* 421 */
- {    0x05,                     0, 1,  2, ""                               }, /* 422 */
- {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 423 */
- {        0x01,               425, 0,  4, "tcg-at-tpmManufacturer"         }, /* 424 */
- {        0x02,               426, 0,  4, "tcg-at-tpmModel"                }, /* 425 */
- {        0x03,               427, 0,  4, "tcg-at-tpmVersion"              }, /* 426 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 427 */
+ {              0x15,           0, 1,  7, "msCertSrvInfrastructure"        }, /* 204 */
+ {                0x07,       206, 0,  8, "msCertTemplate"                 }, /* 205 */
+ {                0x0A,         0, 0,  8, "msApplicationCertPolicies"      }, /* 206 */
+ {            0xA0,             0, 1,  6, ""                               }, /* 207 */
+ {              0x2A,           0, 1,  7, "ITA"                            }, /* 208 */
+ {                0x01,         0, 0,  8, "strongSwan"                     }, /* 209 */
+ {          0x89,             217, 1,  5, ""                               }, /* 210 */
+ {            0x31,             0, 1,  6, ""                               }, /* 211 */
+ {              0x01,           0, 1,  7, ""                               }, /* 212 */
+ {                0x01,         0, 1,  8, ""                               }, /* 213 */
+ {                  0x02,       0, 1,  9, ""                               }, /* 214 */
+ {                    0x02,     0, 1, 10, ""                               }, /* 215 */
+ {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 216 */
+ {          0xC1,               0, 1,  5, ""                               }, /* 217 */
+ {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 218 */
+ {              0x01,           0, 1,  7, "eess"                           }, /* 219 */
+ {                0x01,         0, 1,  8, "eess1"                          }, /* 220 */
+ {                  0x01,     225, 1,  9, "eess1-algs"                     }, /* 221 */
+ {                    0x01,   223, 0, 10, "ntru-EESS1v1-SVES"              }, /* 222 */
+ {                    0x02,   224, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 223 */
+ {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 224 */
+ {                  0x02,     255, 1,  9, "eess1-params"                   }, /* 225 */
+ {                    0x01,   227, 0, 10, "ees251ep1"                      }, /* 226 */
+ {                    0x02,   228, 0, 10, "ees347ep1"                      }, /* 227 */
+ {                    0x03,   229, 0, 10, "ees503ep1"                      }, /* 228 */
+ {                    0x07,   230, 0, 10, "ees251sp2"                      }, /* 229 */
+ {                    0x0C,   231, 0, 10, "ees251ep4"                      }, /* 230 */
+ {                    0x0D,   232, 0, 10, "ees251ep5"                      }, /* 231 */
+ {                    0x0E,   233, 0, 10, "ees251sp3"                      }, /* 232 */
+ {                    0x0F,   234, 0, 10, "ees251sp4"                      }, /* 233 */
+ {                    0x10,   235, 0, 10, "ees251sp5"                      }, /* 234 */
+ {                    0x11,   236, 0, 10, "ees251sp6"                      }, /* 235 */
+ {                    0x12,   237, 0, 10, "ees251sp7"                      }, /* 236 */
+ {                    0x13,   238, 0, 10, "ees251sp8"                      }, /* 237 */
+ {                    0x14,   239, 0, 10, "ees251sp9"                      }, /* 238 */
+ {                    0x22,   240, 0, 10, "ees401ep1"                      }, /* 239 */
+ {                    0x23,   241, 0, 10, "ees449ep1"                      }, /* 240 */
+ {                    0x24,   242, 0, 10, "ees677ep1"                      }, /* 241 */
+ {                    0x25,   243, 0, 10, "ees1087ep2"                     }, /* 242 */
+ {                    0x26,   244, 0, 10, "ees541ep1"                      }, /* 243 */
+ {                    0x27,   245, 0, 10, "ees613ep1"                      }, /* 244 */
+ {                    0x28,   246, 0, 10, "ees887ep1"                      }, /* 245 */
+ {                    0x29,   247, 0, 10, "ees1171ep1"                     }, /* 246 */
+ {                    0x2A,   248, 0, 10, "ees659ep1"                      }, /* 247 */
+ {                    0x2B,   249, 0, 10, "ees761ep1"                      }, /* 248 */
+ {                    0x2C,   250, 0, 10, "ees1087ep1"                     }, /* 249 */
+ {                    0x2D,   251, 0, 10, "ees1499ep1"                     }, /* 250 */
+ {                    0x2E,   252, 0, 10, "ees401ep2"                      }, /* 251 */
+ {                    0x2F,   253, 0, 10, "ees439ep1"                      }, /* 252 */
+ {                    0x30,   254, 0, 10, "ees593ep1"                      }, /* 253 */
+ {                    0x31,     0, 0, 10, "ees743ep1"                      }, /* 254 */
+ {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 255 */
+ {      0x05,                   0, 1,  3, "security"                       }, /* 256 */
+ {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 257 */
+ {          0x07,             302, 1,  5, "id-pkix"                        }, /* 258 */
+ {            0x01,           263, 1,  6, "id-pe"                          }, /* 259 */
+ {              0x01,         261, 0,  7, "authorityInfoAccess"            }, /* 260 */
+ {              0x03,         262, 0,  7, "qcStatements"                   }, /* 261 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 262 */
+ {            0x02,           266, 1,  6, "id-qt"                          }, /* 263 */
+ {              0x01,         265, 0,  7, "cps"                            }, /* 264 */
+ {              0x02,           0, 0,  7, "unotice"                        }, /* 265 */
+ {            0x03,           276, 1,  6, "id-kp"                          }, /* 266 */
+ {              0x01,         268, 0,  7, "serverAuth"                     }, /* 267 */
+ {              0x02,         269, 0,  7, "clientAuth"                     }, /* 268 */
+ {              0x03,         270, 0,  7, "codeSigning"                    }, /* 269 */
+ {              0x04,         271, 0,  7, "emailProtection"                }, /* 270 */
+ {              0x05,         272, 0,  7, "ipsecEndSystem"                 }, /* 271 */
+ {              0x06,         273, 0,  7, "ipsecTunnel"                    }, /* 272 */
+ {              0x07,         274, 0,  7, "ipsecUser"                      }, /* 273 */
+ {              0x08,         275, 0,  7, "timeStamping"                   }, /* 274 */
+ {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 275 */
+ {            0x08,           284, 1,  6, "id-otherNames"                  }, /* 276 */
+ {              0x01,         278, 0,  7, "personalData"                   }, /* 277 */
+ {              0x02,         279, 0,  7, "userGroup"                      }, /* 278 */
+ {              0x03,         280, 0,  7, "id-on-permanentIdentifier"      }, /* 279 */
+ {              0x04,         281, 0,  7, "id-on-hardwareModuleName"       }, /* 280 */
+ {              0x05,         282, 0,  7, "xmppAddr"                       }, /* 281 */
+ {              0x06,         283, 0,  7, "id-on-SIM"                      }, /* 282 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 283 */
+ {            0x0A,           289, 1,  6, "id-aca"                         }, /* 284 */
+ {              0x01,         286, 0,  7, "authenticationInfo"             }, /* 285 */
+ {              0x02,         287, 0,  7, "accessIdentity"                 }, /* 286 */
+ {              0x03,         288, 0,  7, "chargingIdentity"               }, /* 287 */
+ {              0x04,           0, 0,  7, "group"                          }, /* 288 */
+ {            0x0B,           290, 0,  6, "subjectInfoAccess"              }, /* 289 */
+ {            0x30,             0, 1,  6, "id-ad"                          }, /* 290 */
+ {              0x01,         299, 1,  7, "ocsp"                           }, /* 291 */
+ {                0x01,       293, 0,  8, "basic"                          }, /* 292 */
+ {                0x02,       294, 0,  8, "nonce"                          }, /* 293 */
+ {                0x03,       295, 0,  8, "crl"                            }, /* 294 */
+ {                0x04,       296, 0,  8, "response"                       }, /* 295 */
+ {                0x05,       297, 0,  8, "noCheck"                        }, /* 296 */
+ {                0x06,       298, 0,  8, "archiveCutoff"                  }, /* 297 */
+ {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 298 */
+ {              0x02,         300, 0,  7, "caIssuers"                      }, /* 299 */
+ {              0x03,         301, 0,  7, "timeStamping"                   }, /* 300 */
+ {              0x05,           0, 0,  7, "caRepository"                   }, /* 301 */
+ {          0x08,               0, 1,  5, "ipsec"                          }, /* 302 */
+ {            0x02,             0, 1,  6, "certificate"                    }, /* 303 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 304 */
+ {  0x0E,                     311, 1,  1, "oiw"                            }, /* 305 */
+ {    0x03,                     0, 1,  2, "secsig"                         }, /* 306 */
+ {      0x02,                   0, 1,  3, "algorithms"                     }, /* 307 */
+ {        0x07,               309, 0,  4, "des-cbc"                        }, /* 308 */
+ {        0x1A,               310, 0,  4, "sha-1"                          }, /* 309 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 310 */
+ {  0x24,                     357, 1,  1, "TeleTrusT"                      }, /* 311 */
+ {    0x03,                     0, 1,  2, "algorithm"                      }, /* 312 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 313 */
+ {        0x01,               318, 1,  4, "rsaSignature"                   }, /* 314 */
+ {          0x02,             316, 0,  5, "rsaSigWithripemd160"            }, /* 315 */
+ {          0x03,             317, 0,  5, "rsaSigWithripemd128"            }, /* 316 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 317 */
+ {        0x02,                 0, 1,  4, "ecSign"                         }, /* 318 */
+ {          0x01,             320, 0,  5, "ecSignWithsha1"                 }, /* 319 */
+ {          0x02,             321, 0,  5, "ecSignWithripemd160"            }, /* 320 */
+ {          0x03,             322, 0,  5, "ecSignWithmd2"                  }, /* 321 */
+ {          0x04,             323, 0,  5, "ecSignWithmd5"                  }, /* 322 */
+ {          0x05,             340, 1,  5, "ttt-ecg"                        }, /* 323 */
+ {            0x01,           328, 1,  6, "fieldType"                      }, /* 324 */
+ {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 325 */
+ {                0x01,         0, 1,  8, "basisType"                      }, /* 326 */
+ {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 327 */
+ {            0x02,           330, 1,  6, "keyType"                        }, /* 328 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 329 */
+ {            0x03,           331, 0,  6, "curve"                          }, /* 330 */
+ {            0x04,           338, 1,  6, "signatures"                     }, /* 331 */
+ {              0x01,         333, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 332 */
+ {              0x02,         334, 0,  7, "ecgdsa-with-SHA1"               }, /* 333 */
+ {              0x03,         335, 0,  7, "ecgdsa-with-SHA224"             }, /* 334 */
+ {              0x04,         336, 0,  7, "ecgdsa-with-SHA256"             }, /* 335 */
+ {              0x05,         337, 0,  7, "ecgdsa-with-SHA384"             }, /* 336 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 337 */
+ {            0x05,             0, 1,  6, "module"                         }, /* 338 */
+ {              0x01,           0, 0,  7, "1"                              }, /* 339 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 340 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 341 */
+ {              0x01,           0, 1,  7, "versionOne"                     }, /* 342 */
+ {                0x01,       344, 0,  8, "brainpoolP160r1"                }, /* 343 */
+ {                0x02,       345, 0,  8, "brainpoolP160t1"                }, /* 344 */
+ {                0x03,       346, 0,  8, "brainpoolP192r1"                }, /* 345 */
+ {                0x04,       347, 0,  8, "brainpoolP192t1"                }, /* 346 */
+ {                0x05,       348, 0,  8, "brainpoolP224r1"                }, /* 347 */
+ {                0x06,       349, 0,  8, "brainpoolP224t1"                }, /* 348 */
+ {                0x07,       350, 0,  8, "brainpoolP256r1"                }, /* 349 */
+ {                0x08,       351, 0,  8, "brainpoolP256t1"                }, /* 350 */
+ {                0x09,       352, 0,  8, "brainpoolP320r1"                }, /* 351 */
+ {                0x0A,       353, 0,  8, "brainpoolP320t1"                }, /* 352 */
+ {                0x0B,       354, 0,  8, "brainpoolP384r1"                }, /* 353 */
+ {                0x0C,       355, 0,  8, "brainpoolP384t1"                }, /* 354 */
+ {                0x0D,       356, 0,  8, "brainpoolP512r1"                }, /* 355 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 356 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 357 */
+ {    0x04,                     0, 1,  2, "Certicom"                       }, /* 358 */
+ {      0x00,                   0, 1,  3, "curve"                          }, /* 359 */
+ {        0x01,               361, 0,  4, "sect163k1"                      }, /* 360 */
+ {        0x02,               362, 0,  4, "sect163r1"                      }, /* 361 */
+ {        0x03,               363, 0,  4, "sect239k1"                      }, /* 362 */
+ {        0x04,               364, 0,  4, "sect113r1"                      }, /* 363 */
+ {        0x05,               365, 0,  4, "sect113r2"                      }, /* 364 */
+ {        0x06,               366, 0,  4, "secp112r1"                      }, /* 365 */
+ {        0x07,               367, 0,  4, "secp112r2"                      }, /* 366 */
+ {        0x08,               368, 0,  4, "secp160r1"                      }, /* 367 */
+ {        0x09,               369, 0,  4, "secp160k1"                      }, /* 368 */
+ {        0x0A,               370, 0,  4, "secp256k1"                      }, /* 369 */
+ {        0x0F,               371, 0,  4, "sect163r2"                      }, /* 370 */
+ {        0x10,               372, 0,  4, "sect283k1"                      }, /* 371 */
+ {        0x11,               373, 0,  4, "sect283r1"                      }, /* 372 */
+ {        0x16,               374, 0,  4, "sect131r1"                      }, /* 373 */
+ {        0x17,               375, 0,  4, "sect131r2"                      }, /* 374 */
+ {        0x18,               376, 0,  4, "sect193r1"                      }, /* 375 */
+ {        0x19,               377, 0,  4, "sect193r2"                      }, /* 376 */
+ {        0x1A,               378, 0,  4, "sect233k1"                      }, /* 377 */
+ {        0x1B,               379, 0,  4, "sect233r1"                      }, /* 378 */
+ {        0x1C,               380, 0,  4, "secp128r1"                      }, /* 379 */
+ {        0x1D,               381, 0,  4, "secp128r2"                      }, /* 380 */
+ {        0x1E,               382, 0,  4, "secp160r2"                      }, /* 381 */
+ {        0x1F,               383, 0,  4, "secp192k1"                      }, /* 382 */
+ {        0x20,               384, 0,  4, "secp224k1"                      }, /* 383 */
+ {        0x21,               385, 0,  4, "secp224r1"                      }, /* 384 */
+ {        0x22,               386, 0,  4, "secp384r1"                      }, /* 385 */
+ {        0x23,               387, 0,  4, "secp521r1"                      }, /* 386 */
+ {        0x24,               388, 0,  4, "sect409k1"                      }, /* 387 */
+ {        0x25,               389, 0,  4, "sect409r1"                      }, /* 388 */
+ {        0x26,               390, 0,  4, "sect571k1"                      }, /* 389 */
+ {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 390 */
+ {0x60,                       445, 1,  0, ""                               }, /* 391 */
+ {  0x86,                       0, 1,  1, ""                               }, /* 392 */
+ {    0x48,                     0, 1,  2, ""                               }, /* 393 */
+ {      0x01,                   0, 1,  3, "organization"                   }, /* 394 */
+ {        0x65,               421, 1,  4, "gov"                            }, /* 395 */
+ {          0x03,               0, 1,  5, "csor"                           }, /* 396 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 397 */
+ {              0x01,         408, 1,  7, "aes"                            }, /* 398 */
+ {                0x02,       400, 0,  8, "id-aes128-CBC"                  }, /* 399 */
+ {                0x06,       401, 0,  8, "id-aes128-GCM"                  }, /* 400 */
+ {                0x07,       402, 0,  8, "id-aes128-CCM"                  }, /* 401 */
+ {                0x16,       403, 0,  8, "id-aes192-CBC"                  }, /* 402 */
+ {                0x1A,       404, 0,  8, "id-aes192-GCM"                  }, /* 403 */
+ {                0x1B,       405, 0,  8, "id-aes192-CCM"                  }, /* 404 */
+ {                0x2A,       406, 0,  8, "id-aes256-CBC"                  }, /* 405 */
+ {                0x2E,       407, 0,  8, "id-aes256-GCM"                  }, /* 406 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 407 */
+ {              0x02,           0, 1,  7, "hashalgs"                       }, /* 408 */
+ {                0x01,       410, 0,  8, "id-sha256"                      }, /* 409 */
+ {                0x02,       411, 0,  8, "id-sha384"                      }, /* 410 */
+ {                0x03,       412, 0,  8, "id-sha512"                      }, /* 411 */
+ {                0x04,       413, 0,  8, "id-sha224"                      }, /* 412 */
+ {                0x05,       414, 0,  8, "id-sha512-224"                  }, /* 413 */
+ {                0x06,       415, 0,  8, "id-sha512-256"                  }, /* 414 */
+ {                0x07,       416, 0,  8, "id-sha3-224"                    }, /* 415 */
+ {                0x08,       417, 0,  8, "id-sha3-256"                    }, /* 416 */
+ {                0x09,       418, 0,  8, "id-sha3-384"                    }, /* 417 */
+ {                0x0A,       419, 0,  8, "id-sha3-512"                    }, /* 418 */
+ {                0x0B,       420, 0,  8, "id-shake128"                    }, /* 419 */
+ {                0x0C,         0, 0,  8, "id-shake256"                    }, /* 420 */
+ {        0x86,                 0, 1,  4, ""                               }, /* 421 */
+ {          0xf8,               0, 1,  5, ""                               }, /* 422 */
+ {            0x42,           435, 1,  6, "netscape"                       }, /* 423 */
+ {              0x01,         430, 1,  7, ""                               }, /* 424 */
+ {                0x01,       426, 0,  8, "nsCertType"                     }, /* 425 */
+ {                0x03,       427, 0,  8, "nsRevocationUrl"                }, /* 426 */
+ {                0x04,       428, 0,  8, "nsCaRevocationUrl"              }, /* 427 */
+ {                0x08,       429, 0,  8, "nsCaPolicyUrl"                  }, /* 428 */
+ {                0x0d,         0, 0,  8, "nsComment"                      }, /* 429 */
+ {              0x03,         433, 1,  7, "directory"                      }, /* 430 */
+ {                0x01,         0, 1,  8, ""                               }, /* 431 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 432 */
+ {              0x04,           0, 1,  7, "policy"                         }, /* 433 */
+ {                0x01,         0, 0,  8, "nsSGC"                          }, /* 434 */
+ {            0x45,             0, 1,  6, "verisign"                       }, /* 435 */
+ {              0x01,           0, 1,  7, "pki"                            }, /* 436 */
+ {                0x09,         0, 1,  8, "attributes"                     }, /* 437 */
+ {                  0x02,     439, 0,  9, "messageType"                    }, /* 438 */
+ {                  0x03,     440, 0,  9, "pkiStatus"                      }, /* 439 */
+ {                  0x04,     441, 0,  9, "failInfo"                       }, /* 440 */
+ {                  0x05,     442, 0,  9, "senderNonce"                    }, /* 441 */
+ {                  0x06,     443, 0,  9, "recipientNonce"                 }, /* 442 */
+ {                  0x07,     444, 0,  9, "transID"                        }, /* 443 */
+ {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 444 */
+ {0x67,                         0, 1,  0, ""                               }, /* 445 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 446 */
+ {    0x05,                     0, 1,  2, ""                               }, /* 447 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 448 */
+ {        0x01,               450, 0,  4, "tcg-at-tpmManufacturer"         }, /* 449 */
+ {        0x02,               451, 0,  4, "tcg-at-tpmModel"                }, /* 450 */
+ {        0x03,               452, 0,  4, "tcg-at-tpmVersion"              }, /* 451 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 452 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 14f774adb..d72d986c5 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -138,101 +138,102 @@ extern const oid_t oid_names[];
 #define OID_ECDSA_WITH_SHA256				186
 #define OID_ECDSA_WITH_SHA384				187
 #define OID_ECDSA_WITH_SHA512				188
+#define OID_MS_SMARTCARD_LOGON				202
 #define OID_USER_PRINCIPAL_NAME				203
-#define OID_STRONGSWAN						206
-#define OID_TCGID							213
-#define OID_AUTHORITY_INFO_ACCESS			241
-#define OID_IP_ADDR_BLOCKS					243
-#define OID_POLICY_QUALIFIER_CPS			245
-#define OID_POLICY_QUALIFIER_UNOTICE		246
-#define OID_SERVER_AUTH						248
-#define OID_CLIENT_AUTH						249
-#define OID_OCSP_SIGNING					256
-#define OID_XMPP_ADDR						262
-#define OID_AUTHENTICATION_INFO				266
-#define OID_ACCESS_IDENTITY					267
-#define OID_CHARGING_IDENTITY				268
-#define OID_GROUP							269
-#define OID_OCSP							272
-#define OID_BASIC							273
-#define OID_NONCE							274
-#define OID_CRL								275
-#define OID_RESPONSE						276
-#define OID_NO_CHECK						277
-#define OID_ARCHIVE_CUTOFF					278
-#define OID_SERVICE_LOCATOR					279
-#define OID_CA_ISSUERS						280
-#define OID_IKE_INTERMEDIATE				285
-#define OID_DES_CBC							289
-#define OID_SHA1							290
-#define OID_SHA1_WITH_RSA_OIW				291
-#define OID_ECGDSA_PUBKEY					310
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		313
-#define OID_ECGDSA_SIG_WITH_SHA1			314
-#define OID_ECGDSA_SIG_WITH_SHA224			315
-#define OID_ECGDSA_SIG_WITH_SHA256			316
-#define OID_ECGDSA_SIG_WITH_SHA384			317
-#define OID_ECGDSA_SIG_WITH_SHA512			318
-#define OID_SECT163K1						341
-#define OID_SECT163R1						342
-#define OID_SECT239K1						343
-#define OID_SECT113R1						344
-#define OID_SECT113R2						345
-#define OID_SECT112R1						346
-#define OID_SECT112R2						347
-#define OID_SECT160R1						348
-#define OID_SECT160K1						349
-#define OID_SECT256K1						350
-#define OID_SECT163R2						351
-#define OID_SECT283K1						352
-#define OID_SECT283R1						353
-#define OID_SECT131R1						354
-#define OID_SECT131R2						355
-#define OID_SECT193R1						356
-#define OID_SECT193R2						357
-#define OID_SECT233K1						358
-#define OID_SECT233R1						359
-#define OID_SECT128R1						360
-#define OID_SECT128R2						361
-#define OID_SECT160R2						362
-#define OID_SECT192K1						363
-#define OID_SECT224K1						364
-#define OID_SECT224R1						365
-#define OID_SECT384R1						366
-#define OID_SECT521R1						367
-#define OID_SECT409K1						368
-#define OID_SECT409R1						369
-#define OID_SECT571K1						370
-#define OID_SECT571R1						371
-#define OID_AES128_CBC						380
-#define OID_AES128_GCM						381
-#define OID_AES128_CCM						382
-#define OID_AES192_CBC						383
-#define OID_AES192_GCM						384
-#define OID_AES192_CCM						385
-#define OID_AES256_CBC						386
-#define OID_AES256_GCM						387
-#define OID_AES256_CCM						388
-#define OID_SHA256							390
-#define OID_SHA384							391
-#define OID_SHA512							392
-#define OID_SHA224							393
-#define OID_NS_REVOCATION_URL				401
-#define OID_NS_CA_REVOCATION_URL			402
-#define OID_NS_CA_POLICY_URL				403
-#define OID_NS_COMMENT						404
-#define OID_EMPLOYEE_NUMBER					407
-#define OID_PKI_MESSAGE_TYPE				413
-#define OID_PKI_STATUS						414
-#define OID_PKI_FAIL_INFO					415
-#define OID_PKI_SENDER_NONCE				416
-#define OID_PKI_RECIPIENT_NONCE				417
-#define OID_PKI_TRANS_ID					418
-#define OID_TPM_MANUFACTURER				424
-#define OID_TPM_MODEL						425
-#define OID_TPM_VERSION						426
-#define OID_TPM_ID_LABEL					427
+#define OID_STRONGSWAN						209
+#define OID_TCGID							216
+#define OID_AUTHORITY_INFO_ACCESS			260
+#define OID_IP_ADDR_BLOCKS					262
+#define OID_POLICY_QUALIFIER_CPS			264
+#define OID_POLICY_QUALIFIER_UNOTICE		265
+#define OID_SERVER_AUTH						267
+#define OID_CLIENT_AUTH						268
+#define OID_OCSP_SIGNING					275
+#define OID_XMPP_ADDR						281
+#define OID_AUTHENTICATION_INFO				285
+#define OID_ACCESS_IDENTITY					286
+#define OID_CHARGING_IDENTITY				287
+#define OID_GROUP							288
+#define OID_OCSP							291
+#define OID_BASIC							292
+#define OID_NONCE							293
+#define OID_CRL								294
+#define OID_RESPONSE						295
+#define OID_NO_CHECK						296
+#define OID_ARCHIVE_CUTOFF					297
+#define OID_SERVICE_LOCATOR					298
+#define OID_CA_ISSUERS						299
+#define OID_IKE_INTERMEDIATE				304
+#define OID_DES_CBC							308
+#define OID_SHA1							309
+#define OID_SHA1_WITH_RSA_OIW				310
+#define OID_ECGDSA_PUBKEY					329
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		332
+#define OID_ECGDSA_SIG_WITH_SHA1			333
+#define OID_ECGDSA_SIG_WITH_SHA224			334
+#define OID_ECGDSA_SIG_WITH_SHA256			335
+#define OID_ECGDSA_SIG_WITH_SHA384			336
+#define OID_ECGDSA_SIG_WITH_SHA512			337
+#define OID_SECT163K1						360
+#define OID_SECT163R1						361
+#define OID_SECT239K1						362
+#define OID_SECT113R1						363
+#define OID_SECT113R2						364
+#define OID_SECT112R1						365
+#define OID_SECT112R2						366
+#define OID_SECT160R1						367
+#define OID_SECT160K1						368
+#define OID_SECT256K1						369
+#define OID_SECT163R2						370
+#define OID_SECT283K1						371
+#define OID_SECT283R1						372
+#define OID_SECT131R1						373
+#define OID_SECT131R2						374
+#define OID_SECT193R1						375
+#define OID_SECT193R2						376
+#define OID_SECT233K1						377
+#define OID_SECT233R1						378
+#define OID_SECT128R1						379
+#define OID_SECT128R2						380
+#define OID_SECT160R2						381
+#define OID_SECT192K1						382
+#define OID_SECT224K1						383
+#define OID_SECT224R1						384
+#define OID_SECT384R1						385
+#define OID_SECT521R1						386
+#define OID_SECT409K1						387
+#define OID_SECT409R1						388
+#define OID_SECT571K1						389
+#define OID_SECT571R1						390
+#define OID_AES128_CBC						399
+#define OID_AES128_GCM						400
+#define OID_AES128_CCM						401
+#define OID_AES192_CBC						402
+#define OID_AES192_GCM						403
+#define OID_AES192_CCM						404
+#define OID_AES256_CBC						405
+#define OID_AES256_GCM						406
+#define OID_AES256_CCM						407
+#define OID_SHA256							409
+#define OID_SHA384							410
+#define OID_SHA512							411
+#define OID_SHA224							412
+#define OID_NS_REVOCATION_URL				426
+#define OID_NS_CA_REVOCATION_URL			427
+#define OID_NS_CA_POLICY_URL				428
+#define OID_NS_COMMENT						429
+#define OID_EMPLOYEE_NUMBER					432
+#define OID_PKI_MESSAGE_TYPE				438
+#define OID_PKI_STATUS						439
+#define OID_PKI_FAIL_INFO					440
+#define OID_PKI_SENDER_NONCE				441
+#define OID_PKI_RECIPIENT_NONCE				442
+#define OID_PKI_TRANS_ID					443
+#define OID_TPM_MANUFACTURER				449
+#define OID_TPM_MODEL						450
+#define OID_TPM_VERSION						451
+#define OID_TPM_ID_LABEL					452
 
-#define OID_MAX								428
+#define OID_MAX								453
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index c15a1cc2a..e545188d4 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -200,8 +200,11 @@
                   0x04       "msEncryptingFileSystem"
               0x14           "msEnrollmentInfrastructure"
                 0x02         "msCertificateTypeExtension"
-                  0x02       "msSmartcardLogon"
+                  0x02       "msSmartcardLogon"			OID_MS_SMARTCARD_LOGON
                   0x03       "msUPN"					OID_USER_PRINCIPAL_NAME
+              0x15           "msCertSrvInfrastructure"
+                0x07         "msCertTemplate"
+                0x0A         "msApplicationCertPolicies"
             0xA0             ""
               0x2A           "ITA"
                 0x01         "strongSwan"				OID_STRONGSWAN
@@ -212,7 +215,7 @@
                   0x02       ""
                     0x02     ""
                       0x4B   "TCGID"					OID_TCGID
-          0xc1               ""
+          0xC1               ""
             0x16             "ntruCryptosystems"
               0x01           "eess"
                 0x01         "eess1"
@@ -234,6 +237,22 @@
                     0x12     "ees251sp7"
                     0x13     "ees251sp8"
                     0x14     "ees251sp9"
+                    0x22     "ees401ep1"
+                    0x23     "ees449ep1"
+                    0x24     "ees677ep1"
+                    0x25     "ees1087ep2"
+                    0x26     "ees541ep1"
+                    0x27     "ees613ep1"
+                    0x28     "ees887ep1"
+                    0x29     "ees1171ep1"
+                    0x2A     "ees659ep1"
+                    0x2B     "ees761ep1"
+                    0x2C     "ees1087ep1"
+                    0x2D     "ees1499ep1"
+                    0x2E     "ees401ep2"
+                    0x2F     "ees439ep1"
+                    0x30     "ees593ep1"
+                    0x31     "ees743ep1"
                   0x03       "eess1-encodingMethods"
       0x05                   "security"
         0x05                 "mechanisms"
@@ -388,12 +407,18 @@
                 0x2E         "id-aes256-GCM"			OID_AES256_GCM
                 0x2F         "id-aes256-CCM"			OID_AES256_CCM
               0x02           "hashalgs"
-                0x01         "id-SHA-256"				OID_SHA256
-                0x02         "id-SHA-384"				OID_SHA384
-                0x03         "id-SHA-512"				OID_SHA512
-                0x04         "id-SHA-224"				OID_SHA224
-                0x05         "id-SHA-512-224"
-                0x06         "id-SHA-512-256"
+                0x01         "id-sha256"				OID_SHA256
+                0x02         "id-sha384"				OID_SHA384
+                0x03         "id-sha512"				OID_SHA512
+                0x04         "id-sha224"				OID_SHA224
+                0x05         "id-sha512-224"
+                0x06         "id-sha512-256"
+                0x07         "id-sha3-224"
+                0x08         "id-sha3-256"
+                0x09         "id-sha3-384"
+                0x0A         "id-sha3-512"
+                0x0B         "id-shake128"
+                0x0C         "id-shake256"
         0x86                 ""
           0xf8               ""
             0x42             "netscape"
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
index 314e8e916..75efb85bf 100644
--- a/src/libstrongswan/collections/array.c
+++ b/src/libstrongswan/collections/array.c
@@ -141,7 +141,7 @@ static void remove_tail(array_t *array, int idx)
 	/* move all items after idx one down */
 	memmove(array->data + get_size(array, idx + array->head),
 			array->data + get_size(array, idx + array->head + 1),
-			get_size(array, array->count - idx));
+			get_size(array, array->count - 1 - idx));
 	array->count--;
 	array->tail++;
 }
diff --git a/src/libstrongswan/collections/hashtable.c b/src/libstrongswan/collections/hashtable.c
index 1003aa0fa..ca31d8361 100644
--- a/src/libstrongswan/collections/hashtable.c
+++ b/src/libstrongswan/collections/hashtable.c
@@ -30,7 +30,7 @@ struct pair_t {
 	/**
 	 * Key of a hash table item.
 	 */
-	void *key;
+	const void *key;
 
 	/**
 	 * Value of a hash table item.
@@ -51,7 +51,7 @@ struct pair_t {
 /**
  * Creates an empty pair object.
  */
-static inline pair_t *pair_create(void *key, void *value, u_int hash)
+static inline pair_t *pair_create(const void *key, void *value, u_int hash)
 {
 	pair_t *this;
 
@@ -153,7 +153,7 @@ struct private_enumerator_t {
 /*
  * See header.
  */
-u_int hashtable_hash_ptr(void *key)
+u_int hashtable_hash_ptr(const void *key)
 {
 	return chunk_hash(chunk_from_thing(key));
 }
@@ -161,7 +161,7 @@ u_int hashtable_hash_ptr(void *key)
 /*
  * See header.
  */
-u_int hashtable_hash_str(void *key)
+u_int hashtable_hash_str(const void *key)
 {
 	return chunk_hash(chunk_from_str((char*)key));
 }
@@ -169,7 +169,7 @@ u_int hashtable_hash_str(void *key)
 /*
  * See header.
  */
-bool hashtable_equals_ptr(void *key, void *other_key)
+bool hashtable_equals_ptr(const void *key, const void *other_key)
 {
 	return key == other_key;
 }
@@ -177,7 +177,7 @@ bool hashtable_equals_ptr(void *key, void *other_key)
 /*
  * See header.
  */
-bool hashtable_equals_str(void *key, void *other_key)
+bool hashtable_equals_str(const void *key, const void *other_key)
 {
 	return streq(key, other_key);
 }
@@ -250,7 +250,7 @@ static void rehash(private_hashtable_t *this)
 }
 
 METHOD(hashtable_t, put, void*,
-	   private_hashtable_t *this, void *key, void *value)
+	   private_hashtable_t *this, const void *key, void *value)
 {
 	void *old_value = NULL;
 	pair_t *pair;
@@ -284,7 +284,7 @@ METHOD(hashtable_t, put, void*,
 	return old_value;
 }
 
-static void *get_internal(private_hashtable_t *this, void *key,
+static void *get_internal(private_hashtable_t *this, const void *key,
 						  hashtable_equals_t equals)
 {
 	void *value = NULL;
@@ -309,19 +309,19 @@ static void *get_internal(private_hashtable_t *this, void *key,
 }
 
 METHOD(hashtable_t, get, void*,
-	   private_hashtable_t *this, void *key)
+	   private_hashtable_t *this, const void *key)
 {
 	return get_internal(this, key, this->equals);
 }
 
 METHOD(hashtable_t, get_match, void*,
-	   private_hashtable_t *this, void *key, hashtable_equals_t match)
+	   private_hashtable_t *this, const void *key, hashtable_equals_t match)
 {
 	return get_internal(this, key, match);
 }
 
 METHOD(hashtable_t, remove_, void*,
-	   private_hashtable_t *this, void *key)
+	   private_hashtable_t *this, const void *key)
 {
 	void *value = NULL;
 	pair_t *pair, *prev = NULL;
@@ -379,7 +379,7 @@ METHOD(hashtable_t, get_count, u_int,
 }
 
 METHOD(enumerator_t, enumerate, bool,
-	   private_enumerator_t *this, void **key, void **value)
+	   private_enumerator_t *this, const void **key, void **value)
 {
 	while (this->count && this->row < this->table->capacity)
 	{
diff --git a/src/libstrongswan/collections/hashtable.h b/src/libstrongswan/collections/hashtable.h
index 520a86c90..0a7ebeb65 100644
--- a/src/libstrongswan/collections/hashtable.h
+++ b/src/libstrongswan/collections/hashtable.h
@@ -31,7 +31,7 @@ typedef struct hashtable_t hashtable_t;
  * @param key			key to hash
  * @return				hash code
  */
-typedef u_int (*hashtable_hash_t)(void *key);
+typedef u_int (*hashtable_hash_t)(const void *key);
 
 /**
  * Hashtable hash function calculation the hash solely based on the key pointer.
@@ -39,7 +39,7 @@ typedef u_int (*hashtable_hash_t)(void *key);
  * @param key			key to hash
  * @return				hash of key
  */
-u_int hashtable_hash_ptr(void *key);
+u_int hashtable_hash_ptr(const void *key);
 
 /**
  * Hashtable hash function calculation the hash for char* keys.
@@ -47,7 +47,7 @@ u_int hashtable_hash_ptr(void *key);
  * @param key			key to hash, a char*
  * @return				hash of key
  */
-u_int hashtable_hash_str(void *key);
+u_int hashtable_hash_str(const void *key);
 
 /**
  * Prototype for a function that compares the two keys for equality.
@@ -56,7 +56,7 @@ u_int hashtable_hash_str(void *key);
  * @param other_key		second key
  * @return				TRUE if the keys are equal
  */
-typedef bool (*hashtable_equals_t)(void *key, void *other_key);
+typedef bool (*hashtable_equals_t)(const void *key, const void *other_key);
 
 /**
  * Hashtable equals function comparing pointers.
@@ -65,7 +65,7 @@ typedef bool (*hashtable_equals_t)(void *key, void *other_key);
  * @param other_key		other key to compare
  * @return				TRUE if key == other_key
  */
-bool hashtable_equals_ptr(void *key, void *other_key);
+bool hashtable_equals_ptr(const void *key, const void *other_key);
 
 /**
  * Hashtable equals function comparing char* keys.
@@ -74,7 +74,7 @@ bool hashtable_equals_ptr(void *key, void *other_key);
  * @param other_key		other key to compare
  * @return				TRUE if streq(key, other_key)
  */
-bool hashtable_equals_str(void *key, void *other_key);
+bool hashtable_equals_str(const void *key, const void *other_key);
 
 /**
  * Class implementing a hash table.
@@ -100,7 +100,7 @@ struct hashtable_t {
 	 * @param value		the value to store
 	 * @return			NULL if no item was replaced, the old value otherwise
 	 */
-	void *(*put) (hashtable_t *this, void *key, void *value);
+	void *(*put) (hashtable_t *this, const void *key, void *value);
 
 	/**
 	 * Returns the value with the given key, if the hash table contains such an
@@ -109,7 +109,7 @@ struct hashtable_t {
 	 * @param key		the key of the requested value
 	 * @return			the value, NULL if not found
 	 */
-	void *(*get) (hashtable_t *this, void *key);
+	void *(*get) (hashtable_t *this, const void *key);
 
 	/**
 	 * Returns the value with a matching key, if the hash table contains such an
@@ -125,7 +125,8 @@ struct hashtable_t {
 	 * @param match		match function to be used when comparing keys
 	 * @return			the value, NULL if not found
 	 */
-	void *(*get_match) (hashtable_t *this, void *key, hashtable_equals_t match);
+	void *(*get_match) (hashtable_t *this, const void *key,
+						hashtable_equals_t match);
 
 	/**
 	 * Removes the value with the given key from the hash table and returns the
@@ -134,7 +135,7 @@ struct hashtable_t {
 	 * @param key		the key of the value to remove
 	 * @return			the removed value, NULL if not found
 	 */
-	void *(*remove) (hashtable_t *this, void *key);
+	void *(*remove) (hashtable_t *this, const void *key);
 
 	/**
 	 * Removes the key and value pair from the hash table at which the given
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 2203519e2..4ff9aa6dd 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -31,7 +31,7 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_XAUTH,
 	"XAuth",
 );
 
-ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
 	"RULE_IDENTITY",
 	"RULE_IDENTITY_LOOSE",
 	"RULE_AUTH_CLASS",
@@ -56,6 +56,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
 	"HELPER_IM_HASH_URL",
 	"HELPER_SUBJECT_HASH_URL",
 	"HELPER_REVOCATION_CERT",
+	"HELPER_AC_CERT",
 );
 
 /**
@@ -91,6 +92,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_REVOCATION_CERT:
+		case AUTH_HELPER_AC_CERT:
 			return TRUE;
 	}
 	return FALSE;
@@ -224,6 +226,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		case AUTH_HELPER_REVOCATION_CERT:
+		case AUTH_HELPER_AC_CERT:
 			/* pointer type */
 			this->value = va_arg(args, void*);
 			break;
@@ -262,6 +265,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_REVOCATION_CERT:
+		case AUTH_HELPER_AC_CERT:
 		{
 			certificate_t *c1, *c2;
 
@@ -319,6 +323,7 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_REVOCATION_CERT:
+		case AUTH_HELPER_AC_CERT:
 		{
 			certificate_t *cert = (certificate_t*)entry->value;
 			cert->destroy(cert);
@@ -390,6 +395,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
 			case AUTH_HELPER_REVOCATION_CERT:
+			case AUTH_HELPER_AC_CERT:
 				/* pointer type */
 				entry->value = va_arg(args, void*);
 				break;
@@ -467,6 +473,7 @@ METHOD(auth_cfg_t, get, void*,
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		case AUTH_HELPER_REVOCATION_CERT:
+		case AUTH_HELPER_AC_CERT:
 		case AUTH_RULE_MAX:
 			break;
 	}
@@ -736,6 +743,7 @@ METHOD(auth_cfg_t, complies, bool,
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
 			case AUTH_HELPER_REVOCATION_CERT:
+			case AUTH_HELPER_AC_CERT:
 			case AUTH_RULE_MAX:
 				/* skip helpers */
 				continue;
@@ -868,6 +876,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_HELPER_IM_CERT:
 				case AUTH_HELPER_SUBJECT_CERT:
 				case AUTH_HELPER_REVOCATION_CERT:
+				case AUTH_HELPER_AC_CERT:
 				{
 					certificate_t *cert = (certificate_t*)value;
 
@@ -1029,6 +1038,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_REVOCATION_CERT:
+			case AUTH_HELPER_AC_CERT:
 			{
 				certificate_t *cert = (certificate_t*)value;
 				clone->add(clone, type, cert->get_ref(cert));
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index d87935589..95b36d706 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -117,6 +117,8 @@ enum auth_rule_t {
 	AUTH_HELPER_SUBJECT_HASH_URL,
 	/** revocation certificate (CRL, OCSP), certificate_t* */
 	AUTH_HELPER_REVOCATION_CERT,
+	/** attribute certificate for authorization decisions, certificate_t */
+	AUTH_HELPER_AC_CERT,
 
 	/** helper to determine the number of elements in this enum */
 	AUTH_RULE_MAX,
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 4e52272a7..ddb64ef88 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -38,7 +38,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_SERIAL",
 	"BUILD_DIGEST_ALG",
 	"BUILD_ENCRYPTION_ALG",
-	"BUILD_IETF_GROUP_ATTR",
+	"BUILD_AC_GROUP_STRINGS",
 	"BUILD_CA_CERT",
 	"BUILD_CERT",
 	"BUILD_CRL_DISTRIBUTION_POINTS",
@@ -72,4 +72,3 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_THRESHOLD",
 	"BUILD_END",
 );
-
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 103b823c0..627e0934d 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -87,8 +87,8 @@ enum builder_part_t {
 	BUILD_DIGEST_ALG,
 	/** encryption algorithm to use, encryption_algorithm_t */
 	BUILD_ENCRYPTION_ALG,
-	/** a comma-separated list of ietf group attributes, char* */
-	BUILD_IETF_GROUP_ATTR,
+	/** list of AC group memberships, linked_list_t* with char* */
+	BUILD_AC_GROUP_STRINGS,
 	/** a ca certificate, certificate_t* */
 	BUILD_CA_CERT,
 	/** a certificate, certificate_t* */
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
index 57b44adca..9a3d8f0b9 100644
--- a/src/libstrongswan/credentials/certificates/ac.h
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -24,9 +24,18 @@
 
 #include <library.h>
 #include <credentials/certificates/certificate.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
 
 typedef struct ac_t ac_t;
+typedef enum ac_group_type_t ac_group_type_t;
+
+/**
+ * Common group types, from IETF Attributes Syntax
+ */
+enum ac_group_type_t {
+	AC_GROUP_TYPE_OCTETS,
+	AC_GROUP_TYPE_STRING,
+	AC_GROUP_TYPE_OID,
+};
 
 /**
  * X.509 attribute certificate interface.
@@ -70,19 +79,11 @@ struct ac_t {
 	chunk_t (*get_authKeyIdentifier)(ac_t *this);
 
 	/**
-	 * Get the group memberships as a list of IETF attributes
-	 *
-	 * @return			object containing a list of IETF attributes
-	 */
-	ietf_attributes_t* (*get_groups)(ac_t *this);
-
-	/**
-	 * @brief Checks if two attribute certificates belong to the same holder
+	 * Create an enumerator of contained Group memberships.
 	 *
-	 * @param that			other attribute certificate
-	 * @return				TRUE if same holder
+	 * @return			enumerator over (ac_group_type_t, chunk_t)
 	 */
-	bool (*equals_holder) (ac_t *this, ac_t *other);
+	enumerator_t* (*create_group_enumerator)(ac_t *this);
 };
 
 #endif /** AC_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 4e8d4317f..6cbfcdeed 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -39,25 +39,27 @@ typedef enum x509_constraint_t x509_constraint_t;
  */
 enum x509_flag_t {
 	/** cert has no constraints */
-	X509_NONE =				0,
+	X509_NONE =	               0,
 	/** cert has CA constraint */
-	X509_CA =				(1<<0),
+	X509_CA =                 (1<<0),
 	/** cert has AA constraint */
-	X509_AA =				(1<<1),
+	X509_AA =                 (1<<1),
 	/** cert has OCSP signer constraint */
-	X509_OCSP_SIGNER =		(1<<2),
+	X509_OCSP_SIGNER =        (1<<2),
 	/** cert has serverAuth key usage */
-	X509_SERVER_AUTH =		(1<<3),
+	X509_SERVER_AUTH =        (1<<3),
 	/** cert has clientAuth key usage */
-	X509_CLIENT_AUTH =		(1<<4),
+	X509_CLIENT_AUTH =        (1<<4),
 	/** cert is self-signed */
-	X509_SELF_SIGNED =		(1<<5),
+	X509_SELF_SIGNED =        (1<<5),
 	/** cert has an ipAddrBlocks extension */
-	X509_IP_ADDR_BLOCKS =	(1<<6),
+	X509_IP_ADDR_BLOCKS =     (1<<6),
 	/** cert has CRL sign key usage */
-	X509_CRL_SIGN =			(1<<7),
+	X509_CRL_SIGN =           (1<<7),
 	/** cert has iKEIntermediate key usage */
-	X509_IKE_INTERMEDIATE =	(1<<8),
+	X509_IKE_INTERMEDIATE =   (1<<8),
+	/** cert has Microsoft Smartcard Logon usage */
+	X509_MS_SMARTCARD_LOGON = (1<<9),
 };
 
 /**
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 53ac13cbb..303816391 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -94,22 +94,6 @@ bool cred_encoding_args(va_list args, ...)
 	return !failed;
 }
 
-/**
- * hashtable hash() function
- */
-static u_int hash(void *key)
-{
-	return (uintptr_t)key;
-}
-
-/**
- * hashtable equals() function
- */
-static bool equals(void *key1, void *key2)
-{
-	return key1 == key2;
-}
-
 METHOD(cred_encoding_t, get_cache, bool,
 	private_cred_encoding_t *this, cred_encoding_type_t type, void *cache,
 	chunk_t *encoding)
@@ -289,7 +273,8 @@ cred_encoding_t *cred_encoding_create()
 
 	for (type = 0; type < CRED_ENCODING_MAX; type++)
 	{
-		this->cache[type] = hashtable_create(hash, equals, 8);
+		this->cache[type] = hashtable_create(hashtable_hash_ptr,
+											 hashtable_equals_ptr, 8);
 	}
 
 	return &this->public;
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
deleted file mode 100644
index 49af5a079..000000000
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ /dev/null
@@ -1,534 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <collections/linked_list.h>
-#include <utils/lexparser.h>
-
-#include "ietf_attributes.h"
-
-/**
- * Private definition of IETF attribute types
- */
-typedef enum {
-	IETF_ATTRIBUTE_OCTETS =	0,
-	IETF_ATTRIBUTE_OID =	1,
-	IETF_ATTRIBUTE_STRING =	2
-} ietf_attribute_type_t;
-
-typedef struct ietf_attr_t ietf_attr_t;
-
-/**
- * Private definition of an IETF attribute
- */
-struct ietf_attr_t {
-	/**
-	 * IETF attribute type
-	 */
-	ietf_attribute_type_t type;
-
-	/**
-	 * IETF attribute value
-	 */
-	chunk_t value;
-
-	/**
-	 * Compares two IETF attributes
-	 *
-	 * return -1 if this is earlier in the alphabet than other
-	 * return  0 if this equals other
-	 * return +1 if this is later in the alphabet than other
-	 *
-	 * @param other		other object
-	 */
-	int (*compare) (ietf_attr_t *this, ietf_attr_t *other);
-
-	/**
-	 * Destroys an ietf_attr_t object.
-	 */
-	void (*destroy) (ietf_attr_t *this);
-};
-
-/**
- * Implements ietf_attr_t.compare.
- */
-static int ietf_attr_compare(ietf_attr_t *this, ietf_attr_t *other)
-{
-	int cmp_len, len, cmp_value;
-
-	/* OID attributes are appended after STRING and OCTETS attributes */
-	if (this->type != IETF_ATTRIBUTE_OID && other->type == IETF_ATTRIBUTE_OID)
-	{
-		return -1;
-	}
-	if (this->type == IETF_ATTRIBUTE_OID && other->type != IETF_ATTRIBUTE_OID)
-	{
-		return 1;
-	}
-
-	cmp_len = this->value.len - other->value.len;
-	len = (cmp_len < 0) ? this->value.len : other->value.len;
-	cmp_value = memcmp(this->value.ptr, other->value.ptr, len);
-
-	return (cmp_value == 0) ? cmp_len : cmp_value;
-}
-
-/**
- * Implements ietf_attr_t.destroy.
- */
-static void ietf_attr_destroy(ietf_attr_t *this)
-{
-	free(this->value.ptr);
-	free(this);
-}
-
-/**
- * Creates an ietf_attr_t object.
- */
-static ietf_attr_t* ietf_attr_create(ietf_attribute_type_t type, chunk_t value)
-{
-	ietf_attr_t *this;
-
-	INIT(this,
-		.compare = ietf_attr_compare,
-		.destroy = ietf_attr_destroy,
-		.type = type,
-		.value = chunk_clone(value),
-	);
-
-	return this;
-}
-
-typedef struct private_ietf_attributes_t private_ietf_attributes_t;
-
-/**
- * Private data of an ietf_attributes_t object.
- */
-struct private_ietf_attributes_t {
-	/**
-	 * Public interface.
-	 */
-	ietf_attributes_t public;
-
-	/**
-	 * Printable representation of the IETF attributes
-	 */
-	char *string;
-
-	/**
-	 * Linked list of IETF attributes.
-	 */
-	linked_list_t *list;
-
-	/**
-	 * reference count
-	 */
-	refcount_t ref;
-};
-
-METHOD(ietf_attributes_t, get_string, char*,
-	private_ietf_attributes_t *this)
-{
-	if (this->string == NULL)
-	{
-		char buf[BUF_LEN];
-		char *pos = buf;
-		int len = BUF_LEN;
-		bool first = TRUE;
-		ietf_attr_t *attr;
-		enumerator_t *enumerator;
-
-		enumerator = this->list->create_enumerator(this->list);
-		while (enumerator->enumerate(enumerator, &attr))
-		{
-			int written;
-
-			if (first)
-			{
-				first = FALSE;
-			}
-			else
-			{
-				written = snprintf(pos, len, ", ");
-				if (written < 0 || written >= len)
-				{
-					break;
-				}
-				pos += written;
-				len -= written;
-			}
-
-			switch (attr->type)
-			{
-				case IETF_ATTRIBUTE_OCTETS:
-				case IETF_ATTRIBUTE_STRING:
-					written = snprintf(pos, len, "%.*s", (int)attr->value.len,
-														 attr->value.ptr);
-					break;
-				case IETF_ATTRIBUTE_OID:
-				{
-					int oid = asn1_known_oid(attr->value);
-
-					if (oid == OID_UNKNOWN)
-					{
-						written = snprintf(pos, len, "0x%#B", &attr->value);
-					}
-					else
-					{
-						written = snprintf(pos, len, "%s", oid_names[oid].name);
-					}
-					break;
-				}
-				default:
-					written = 0;
-					break;
-			}
-			if (written < 0 || written >= len)
-			{
-				break;
-			}
-			pos += written;
-			len -= written;
-		}
-		enumerator->destroy(enumerator);
-		if (len < BUF_LEN)
-		{
-			this->string = strdup(buf);
-		}
-	}
-	return this->string;
-}
-
-METHOD(ietf_attributes_t, get_encoding, chunk_t,
-	private_ietf_attributes_t *this)
-{
-	chunk_t values;
-	size_t size = 0;
-	u_char *pos;
-	ietf_attr_t *attr;
-	enumerator_t *enumerator;
-
-	/* precalculate the total size of all values */
-	enumerator = this->list->create_enumerator(this->list);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		size_t len = attr->value.len;
-
-		size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
-	}
-	enumerator->destroy(enumerator);
-
-	pos = asn1_build_object(&values, ASN1_SEQUENCE, size);
-
-	enumerator = this->list->create_enumerator(this->list);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		chunk_t ietfAttribute;
-		asn1_t type = ASN1_NULL;
-
-		switch (attr->type)
-		{
-			case IETF_ATTRIBUTE_OCTETS:
-				type = ASN1_OCTET_STRING;
-				break;
-			case IETF_ATTRIBUTE_STRING:
-				type = ASN1_UTF8STRING;
-				break;
-			case IETF_ATTRIBUTE_OID:
-				type = ASN1_OID;
-				break;
-		}
-		ietfAttribute = asn1_simple_object(type, attr->value);
-
-		/* copy ietfAttribute into values chunk */
-		memcpy(pos, ietfAttribute.ptr, ietfAttribute.len);
-		pos += ietfAttribute.len;
-		free(ietfAttribute.ptr);
-	}
-	enumerator->destroy(enumerator);
-
-	return asn1_wrap(ASN1_SEQUENCE, "m", values);
-}
-
-/**
- * Implementation of ietf_attributes_t.equals.
- */
-static bool equals(private_ietf_attributes_t *this,
-				   private_ietf_attributes_t *other)
-{
-	 bool result = TRUE;
-
-	/* lists must have the same number of attributes */
-	if (other == NULL ||
-		this->list->get_count(this->list) != other->list->get_count(other->list))
-	{
-		return FALSE;
-	}
-
-	/* compare two alphabetically-sorted lists */
-	{
-		ietf_attr_t *attr_a, *attr_b;
-		enumerator_t *enum_a, *enum_b;
-
-		enum_a = this->list->create_enumerator(this->list);
-		enum_b = other->list->create_enumerator(other->list);
-		while (enum_a->enumerate(enum_a, &attr_a) &&
-			   enum_b->enumerate(enum_b, &attr_b))
-		{
-			if (attr_a->compare(attr_a, attr_b) != 0)
-			{
-				/* we have a mismatch */
-				result = FALSE;
-				break;
-			}
-		}
-		enum_a->destroy(enum_a);
-		enum_b->destroy(enum_b);
-	}
-	return result;
-}
-
-/**
- * Implementation of ietf_attributes_t.matches.
- */
-static bool matches(private_ietf_attributes_t *this,
-					private_ietf_attributes_t *other)
-{
-	bool result = FALSE;
-	ietf_attr_t *attr_a, *attr_b;
-	enumerator_t *enum_a, *enum_b;
-
-	/* always match if this->list does not contain any attributes */
-	if (this->list->get_count(this->list) == 0)
-	{
-		return TRUE;
-	}
-
-	/* never match if other->list does not contain any attributes */
-	if (other == NULL || other->list->get_count(other->list) == 0)
-	{
-		return FALSE;
-	}
-
-	/* get first attribute from both lists */
-	enum_a = this->list->create_enumerator(this->list);
-	enum_a->enumerate(enum_a, &attr_a);
-	enum_b = other->list->create_enumerator(other->list);
-	enum_b->enumerate(enum_b, &attr_b);
-
-	/* look for at least one common attribute */
-	while (TRUE)
-	{
-		int cmp = attr_a->compare(attr_a, attr_b);
-
-		if (cmp == 0)
-		{
-			/* we have a match */
-			result = TRUE;
-			break;
-		}
-		if (cmp == -1)
-		{
-			/* attr_a is earlier in the alphabet, get next attr_a */
-			if (!enum_a->enumerate(enum_a, &attr_a))
-			{
-				/* we have reached the end of enum_a */
-				break;
-			}
-		}
-		else
-		{
-			/* attr_a is later in the alphabet, get next attr_b */
-			if (!enum_b->enumerate(enum_b, &attr_b))
-			{
-				/* we have reached the end of enum_b */
-				break;
-			}
-		}
-	}
-	enum_a->destroy(enum_a);
-	enum_b->destroy(enum_b);
-
-	return result;
-}
-
-METHOD(ietf_attributes_t, get_ref, ietf_attributes_t*,
-	private_ietf_attributes_t *this)
-{
-	ref_get(&this->ref);
-	return &this->public;
-}
-
-METHOD(ietf_attributes_t, destroy, void,
-	private_ietf_attributes_t *this)
-{
-	if (ref_put(&this->ref))
-	{
-		this->list->destroy_offset(this->list, offsetof(ietf_attr_t, destroy));
-		free(this->string);
-		free(this);
-	}
-}
-
-static private_ietf_attributes_t* create_empty(void)
-{
-	private_ietf_attributes_t *this;
-
-	INIT(this,
-		.public = {
-			.get_string = _get_string,
-			.get_encoding = _get_encoding,
-			.equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals,
-			.matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches,
-			.get_ref = _get_ref,
-			.destroy = _destroy,
-		},
-		.list = linked_list_create(),
-		.ref = 1,
-	);
-
-	return this;
-}
-
-/**
- * Adds an ietf_attr_t object to a sorted linked list
- */
-static void ietf_attributes_add(private_ietf_attributes_t *this,
-								ietf_attr_t *attr)
-{
-	ietf_attr_t *current_attr;
-	enumerator_t *enumerator;
-	int cmp = -1;
-
-	enumerator = this->list->create_enumerator(this->list);
-	while (enumerator->enumerate(enumerator, (void **)&current_attr) &&
-		  (cmp = attr->compare(attr, current_attr)) > 0)
-	{
-		continue;
-	}
-	if (cmp == 0)
-	{
-		attr->destroy(attr);
-	}
-	else
-	{	/* the enumerator either points to the end or to the attribute > attr */
-		this->list->insert_before(this->list, enumerator, attr);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/*
- * Described in header.
- */
-ietf_attributes_t *ietf_attributes_create_from_string(char *string)
-{
-	private_ietf_attributes_t *this = create_empty();
-
-	chunk_t line = { string, strlen(string) };
-
-	while (eat_whitespace(&line))
-	{
-		chunk_t group;
-
-		/* extract the next comma-separated group attribute */
-		if (!extract_token(&group, ',', &line))
-		{
-			group = line;
-			line.len = 0;
-		}
-
-		/* remove any trailing spaces */
-		while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
-		{
-			group.len--;
-		}
-
-		/* add the group attribute to the list */
-		if (group.len > 0)
-		{
-			ietf_attr_t *attr = ietf_attr_create(IETF_ATTRIBUTE_STRING, group);
-
-			ietf_attributes_add(this, attr);
-		}
-	}
-
-	return &(this->public);
-}
-
-/**
- * ASN.1 definition of ietfAttrSyntax
- */
-static const asn1Object_t ietfAttrSyntaxObjects[] =
-{
-	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
-	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
-													ASN1_BODY }, /*  1 */
-	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
-	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
-	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
-													ASN1_BODY }, /*  4 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
-	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
-													ASN1_BODY }, /*  6 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
-	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
-													ASN1_BODY }, /*  8 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
-	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }, /* 10 */
-	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT }
-};
-#define IETF_ATTR_OCTETS	 4
-#define IETF_ATTR_OID		 6
-#define IETF_ATTR_STRING	 8
-
-/*
- * Described in header.
- */
-ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded)
-{
-	private_ietf_attributes_t *this = create_empty();
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-
-	parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded);
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case IETF_ATTR_OCTETS:
-			case IETF_ATTR_OID:
-			case IETF_ATTR_STRING:
-				{
-					ietf_attribute_type_t type;
-					ietf_attr_t *attr;
-
-					type = (objectID - IETF_ATTR_OCTETS) / 2;
-					attr = ietf_attr_create(type, object);
-					ietf_attributes_add(this, attr);
-				}
-				break;
-			default:
-				break;
-		}
-	}
-	parser->destroy(parser);
-
-	return &(this->public);
-}
-
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h
deleted file mode 100644
index ab6bae984..000000000
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ietf_attributes ietf_attributes
- * @{ @ingroup credentials
- */
-
-#ifndef IETF_ATTRIBUTES_H_
-#define IETF_ATTRIBUTES_H_
-
-typedef struct ietf_attributes_t ietf_attributes_t;
-
-#include <library.h>
-
-/**
- *
- */
-struct ietf_attributes_t {
-
-	/**
-	 * Get the an alphabetically sorted list of printable IETF attributes.
-	 *
-	 * Result points to internal data, do not free.
-	 *
-	 * @return 			a string containing printable attributes
-	 */
-	char* (*get_string) (ietf_attributes_t *this);
-
-	/**
-	 * Get the ASN.1 encoding of the IETF attributes.
-	 *
-	 * @return 			allocated chunk containing the encoded bytes
-	 */
-	chunk_t (*get_encoding) (ietf_attributes_t *this);
-
-	/**
-	 * Check for equality between two lists.
-	 *
-	 * @param other		attribute list to be checked for equality
-	 * @return 			TRUE if equal
-	 */
-	bool (*equals) (ietf_attributes_t *this, ietf_attributes_t *other);
-
-	/**
-	 * Check for common attributes between two lists.
-	 *
-	 * @param other		attribute list to be matched 
-	 * @return 			TRUE if there is at least a common attribute
-	 */
-	bool (*matches) (ietf_attributes_t *this, ietf_attributes_t *other);
-
-	/**
-	 * Get a new reference to the IETF attributes.
-	 *
-	 * @return			this, with an increased refcount
-	 */
-	ietf_attributes_t* (*get_ref)(ietf_attributes_t *this);
-
-	/**
-	 * Destroys an ietf_attributes_t object.
-	 */
-	void (*destroy) (ietf_attributes_t *this);
-};
-
-/**
- * @param string	input string, which will be converted
- * @return			ietf_attributes_t
- */
-ietf_attributes_t *ietf_attributes_create_from_string(char *string);
-
-/**
- * @param encoded	ASN.1 encoded bytes, such as from ietf_attributes.get_encoding
- * @return			ietf_attributes_t
- */
-ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded);
-
-#endif /** IETF_ATTRIBUTES_H_ @}*/
-
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 46bfb5c6e..c6b8d0c7e 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -133,7 +133,8 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
 		}
 		else if (rule != AUTH_HELPER_SUBJECT_CERT &&
 				 rule != AUTH_HELPER_IM_CERT &&
-				 rule != AUTH_HELPER_REVOCATION_CERT)
+				 rule != AUTH_HELPER_REVOCATION_CERT &&
+				 rule != AUTH_HELPER_AC_CERT)
 		{	/* handle only HELPER certificates */
 			continue;
 		}
diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h
index c887f53bb..43f71b65e 100644
--- a/src/libstrongswan/crypto/aead.h
+++ b/src/libstrongswan/crypto/aead.h
@@ -102,6 +102,10 @@ struct aead_t {
 	/**
 	 * Get the size of the key material (for encryption and authentication).
 	 *
+	 * This includes any additional bytes requires for the implicit nonce part.
+	 * For AEADs based on traditional ciphers, the length is for both
+	 * the integrity and the encryption key in total.
+	 *
 	 * @return				key size in bytes
 	 */
 	size_t (*get_key_size)(aead_t *this);
@@ -109,6 +113,11 @@ struct aead_t {
 	/**
 	 * Set the key for encryption and authentication.
 	 *
+	 * If the AEAD uses an implicit nonce, the last part of the key shall
+	 * be the implicit nonce. For AEADs based on traditional ciphers, the
+	 * key shall include both integrity and encryption keys, concatenated
+	 * in that order.
+	 *
 	 * @param key			encryption and authentication key
 	 * @return				TRUE if key set successfully
 	 */
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index dba3f6f6d..6dea30ee3 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -20,6 +20,7 @@
 #include <threading/rwlock.h>
 #include <collections/linked_list.h>
 #include <crypto/crypto_tester.h>
+#include <utils/test.h>
 
 const char *default_plugin_name = "default";
 
@@ -175,7 +176,7 @@ METHOD(crypto_factory_t, create_crypter, crypter_t*,
 
 METHOD(crypto_factory_t, create_aead, aead_t*,
 	private_crypto_factory_t *this, encryption_algorithm_t algo,
-	size_t key_size)
+	size_t key_size, size_t salt_size)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -189,12 +190,12 @@ METHOD(crypto_factory_t, create_aead, aead_t*,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_aead(this->tester, algo, key_size,
-										 entry->create_aead, NULL,
+										 salt_size, entry->create_aead, NULL,
 										 default_plugin_name))
 			{
 				continue;
 			}
-			aead = entry->create_aead(algo, key_size);
+			aead = entry->create_aead(algo, key_size, salt_size);
 			if (aead)
 			{
 				break;
@@ -473,7 +474,7 @@ METHOD(crypto_factory_t, add_aead, bool,
 	u_int speed = 0;
 
 	if (!this->test_on_add ||
-		this->tester->test_aead(this->tester, algo, 0, create,
+		this->tester->test_aead(this->tester, algo, 0, 0, create,
 								this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->aeads, algo, plugin_name, speed, create);
@@ -976,3 +977,39 @@ crypto_factory_t *crypto_factory_create()
 
 	return &this->public;
 }
+
+/**
+ * Manually verify all registered algorithms against test vectors
+ */
+static u_int verify_registered_algorithms(crypto_factory_t *factory)
+{
+	private_crypto_factory_t *this = (private_crypto_factory_t*)factory;
+	enumerator_t *enumerator;
+	entry_t *entry;
+	u_int failures = 0;
+
+#define TEST_ALGORITHMS(test, ...) do { \
+	enumerator = this->test##s->create_enumerator(this->test##s); \
+	while (enumerator->enumerate(enumerator, &entry)) \
+	{ \
+		if (!this->tester->test_##test(this->tester, entry->algo, ##__VA_ARGS__, \
+							entry->create_##test, NULL, entry->plugin_name)) \
+		{ \
+			failures++; \
+		} \
+	} \
+	enumerator->destroy(enumerator); \
+} while (0)
+
+	this->lock->read_lock(this->lock);
+	TEST_ALGORITHMS(crypter, 0);
+	TEST_ALGORITHMS(aead, 0, 0);
+	TEST_ALGORITHMS(signer);
+	TEST_ALGORITHMS(hasher);
+	TEST_ALGORITHMS(prf);
+	TEST_ALGORITHMS(rng);
+	this->lock->unlock(this->lock);
+	return failures;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(crypto, verify_registered_algorithms);
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 281dc256f..7865bcb15 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -46,7 +46,7 @@ typedef crypter_t* (*crypter_constructor_t)(encryption_algorithm_t algo,
  * Constructor function for aead transforms
  */
 typedef aead_t* (*aead_constructor_t)(encryption_algorithm_t algo,
-									  size_t key_size);
+									  size_t key_size, size_t salt_size);
 /**
  * Constructor function for signers
  */
@@ -100,10 +100,12 @@ struct crypto_factory_t {
 	 *
 	 * @param algo			encryption algorithm
 	 * @param key_size		length of the key in bytes
+	 * @param salt_size		size of salt, implicit part of the nonce
 	 * @return				aead_t instance, NULL if not supported
 	 */
 	aead_t* (*create_aead)(crypto_factory_t *this,
-						   encryption_algorithm_t algo, size_t key_size);
+						   encryption_algorithm_t algo,
+						   size_t key_size, size_t salt_size);
 
 	/**
 	 * Create a symmetric signer instance.
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 30724b16d..c6780daf1 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -204,16 +204,13 @@ METHOD(crypto_tester_t, test_crypter, bool,
 			continue;
 		}
 
-		tested++;
-		failed = TRUE;
 		crypter = create(alg, vector->key_size);
 		if (!crypter)
-		{
-			DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
-				 encryption_algorithm_names, alg, plugin_name,
-				 BITS_PER_BYTE * vector->key_size);
+		{	/* key size not supported */
 			continue;
 		}
+		tested++;
+		failed = TRUE;
 
 		key = chunk_create(vector->key, crypter->get_key_size(crypter));
 		if (!crypter->set_key(crypter, key))
@@ -318,7 +315,7 @@ static u_int bench_aead(private_crypto_tester_t *this,
 {
 	aead_t *aead;
 
-	aead = create(alg, 0);
+	aead = create(alg, 0, 0);
 	if (aead)
 	{
 		char iv[aead->get_iv_size(aead)];
@@ -367,7 +364,8 @@ static u_int bench_aead(private_crypto_tester_t *this,
 
 METHOD(crypto_tester_t, test_aead, bool,
 	private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
-	aead_constructor_t create, u_int *speed, const char *plugin_name)
+	size_t salt_size, aead_constructor_t create,
+	u_int *speed, const char *plugin_name)
 {
 	enumerator_t *enumerator;
 	aead_test_vector_t *vector;
@@ -389,10 +387,14 @@ METHOD(crypto_tester_t, test_aead, bool,
 		{	/* test only vectors with a specific key size, if key size given */
 			continue;
 		}
+		if (salt_size && salt_size != vector->salt_size)
+		{
+			continue;
+		}
 
 		tested++;
 		failed = TRUE;
-		aead = create(alg, vector->key_size);
+		aead = create(alg, vector->key_size, vector->salt_size);
 		if (!aead)
 		{
 			DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
@@ -1221,4 +1223,3 @@ crypto_tester_t *crypto_tester_create()
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index 9ac665929..add3b1cdf 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -54,6 +54,8 @@ struct aead_test_vector_t {
 	encryption_algorithm_t alg;
 	/** key length to use, in bytes */
 	size_t key_size;
+	/** salt length to use, in bytes */
+	size_t salt_size;
 	/** encryption key of test vector */
 	u_char *key;
 	/** initialization vector, using crypters blocksize bytes */
@@ -150,13 +152,15 @@ struct crypto_tester_t {
 	 *
 	 * @param alg			algorithm to test
 	 * @param key_size		key size to test, 0 for default
+	 * @param salt_size		salt length to test, 0 for default
 	 * @param create		constructor function for the aead transform
 	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg,
-						 size_t key_size, aead_constructor_t create,
-						 u_int *speed, const char *plugin_name);
+					  size_t key_size, size_t salt_size,
+					  aead_constructor_t create,
+					  u_int *speed, const char *plugin_name);
 	/**
 	 * Test a signer algorithm.
 	 *
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 8472c30a5..c5bb4cd93 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -265,8 +265,11 @@ bool library_init(char *settings, const char *namespace)
 
 #ifdef LEAK_DETECTIVE
 	lib->leak_detective = leak_detective_create();
-	lib->leak_detective->set_report_cb(lib->leak_detective,
-									   report_leaks, sum_leaks, NULL);
+	if (lib->leak_detective)
+	{
+		lib->leak_detective->set_report_cb(lib->leak_detective,
+										   report_leaks, sum_leaks, NULL);
+	}
 #endif /* LEAK_DETECTIVE */
 
 	pfh = printf_hook_create();
diff --git a/src/libstrongswan/plugins/acert/Makefile.am b/src/libstrongswan/plugins/acert/Makefile.am
new file mode 100644
index 000000000..ba16f413a
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-acert.la
+else
+plugin_LTLIBRARIES = libstrongswan-acert.la
+endif
+
+libstrongswan_acert_la_SOURCES = \
+	acert_validator.h acert_validator.c \
+	acert_plugin.h acert_plugin.c
+
+libstrongswan_acert_la_LDFLAGS = -module -avoid-version
diff --git a/src/openac/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
index b5e00bee6..3dd650d4b 100644
--- a/src/openac/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -78,10 +78,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-ipsec_PROGRAMS = openac$(EXEEXT)
-subdir = src/openac
+subdir = src/libstrongswan/plugins/acert
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp $(dist_man_MANS)
+	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -99,16 +98,49 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-PROGRAMS = $(ipsec_PROGRAMS)
-am_openac_OBJECTS = openac.$(OBJEXT)
-openac_OBJECTS = $(am_openac_OBJECTS)
-openac_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_acert_la_LIBADD =
+am_libstrongswan_acert_la_OBJECTS = acert_validator.lo acert_plugin.lo
+libstrongswan_acert_la_OBJECTS = $(am_libstrongswan_acert_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
+libstrongswan_acert_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_acert_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_acert_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_acert_la_rpath =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -143,43 +175,13 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(openac_SOURCES)
-DIST_SOURCES = $(openac_SOURCES)
+SOURCES = $(libstrongswan_acert_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_acert_la_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man_MANS)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 # Read a list of newline-separated strings from the standard input,
 # and print each of them once, without duplicates.  Input order is
@@ -369,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -409,14 +410,19 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-openac_SOURCES = openac.c
-dist_man_MANS = openac.8
 AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
-	-DPLUGINS=\""${openac_plugins}\""
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
 
-openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-acert.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-acert.la
+libstrongswan_acert_la_SOURCES = \
+	acert_validator.h acert_validator.c \
+	acert_plugin.h acert_plugin.c
+
+libstrongswan_acert_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -430,9 +436,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/openac/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/acert/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/openac/Makefile
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/acert/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -451,59 +457,55 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
-install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
-	fi; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p \
-	 || test -f $$p1 \
-	  ; then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' \
-	    -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
-	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-ipsecPROGRAMS:
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' \
-	`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
-
-clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
-openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) $(EXTRA_openac_DEPENDENCIES) 
-	@rm -f openac$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libstrongswan-acert.la: $(libstrongswan_acert_la_OBJECTS) $(libstrongswan_acert_la_DEPENDENCIES) $(EXTRA_libstrongswan_acert_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_acert_la_LINK) $(am_libstrongswan_acert_la_rpath) $(libstrongswan_acert_la_OBJECTS) $(libstrongswan_acert_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -511,7 +513,8 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acert_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acert_validator.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -542,49 +545,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(dist_man_MANS)
-	@$(NORMAL_INSTALL)
-	@list1=''; \
-	list2='$(dist_man_MANS)'; \
-	test -n "$(man8dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.8[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man8:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -670,9 +630,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(PROGRAMS) $(MANS)
+all-am: Makefile $(LTLIBRARIES)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(plugindir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -707,8 +667,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -728,7 +688,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS install-man
+install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
@@ -744,7 +704,7 @@ install-info: install-info-am
 
 install-info-am:
 
-install-man: install-man8
+install-man:
 
 install-pdf: install-pdf-am
 
@@ -774,28 +734,25 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
-
-uninstall-man: uninstall-man8
+uninstall-am: uninstall-pluginLTLIBRARIES
 
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libtool cscopelist-am ctags ctags-am \
-	distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-man8 \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS uninstall-man uninstall-man8
-
-openac.o :		$(top_builddir)/config.status
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libstrongswan/plugins/acert/acert_plugin.c b/src/libstrongswan/plugins/acert/acert_plugin.c
new file mode 100644
index 000000000..01d9ae3b8
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/acert_plugin.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "acert_plugin.h"
+#include "acert_validator.h"
+
+#include <library.h>
+
+typedef struct private_acert_plugin_t private_acert_plugin_t;
+
+/**
+ * private data of acert_plugin
+ */
+struct private_acert_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	acert_plugin_t public;
+
+	/**
+	 * Validator implementation instance.
+	 */
+	acert_validator_t *validator;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_acert_plugin_t *this)
+{
+	return "acert";
+}
+
+/**
+ * Register validator
+ */
+static bool plugin_cb(private_acert_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_acert_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "acert"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_acert_plugin_t *this)
+{
+	this->validator->destroy(this->validator);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *acert_plugin_create()
+{
+	private_acert_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.validator = acert_validator_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/acert/acert_plugin.h b/src/libstrongswan/plugins/acert/acert_plugin.h
new file mode 100644
index 000000000..97d12936d
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/acert_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup acert acert
+ * @ingroup plugins
+ *
+ * @defgroup acert_plugin acert_plugin
+ * @{ @ingroup acert
+ */
+
+#ifndef ACERT_PLUGIN_H_
+#define ACERT_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct acert_plugin_t acert_plugin_t;
+
+/**
+ * X.509 attribute certificate group membership checking.
+ */
+struct acert_plugin_t {
+
+	/**
+	 * Implements plugin_t. interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ACERT_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/acert/acert_validator.c b/src/libstrongswan/plugins/acert/acert_validator.c
new file mode 100644
index 000000000..ab15dba98
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/acert_validator.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <library.h>
+
+#include "acert_validator.h"
+
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
+
+typedef struct private_acert_validator_t private_acert_validator_t;
+
+/**
+ * Private data of an acert_validator_t object.
+ */
+struct private_acert_validator_t {
+
+	/**
+	 * Public acert_validator_t interface.
+	 */
+	acert_validator_t public;
+};
+
+/**
+ * Check if an AC can be trusted
+ */
+static bool verify(private_acert_validator_t *this, certificate_t *ac)
+{
+	certificate_t *issuer;
+	enumerator_t *enumerator;
+	bool verified = FALSE;
+
+	if (!ac->get_validity(ac, NULL, NULL, NULL))
+	{
+		return FALSE;
+	}
+	DBG1(DBG_CFG, "verifying attribute certificate issued by \"%Y\"",
+		 ac->get_issuer(ac));
+	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
+													ac->get_issuer(ac), TRUE);
+	while (enumerator->enumerate(enumerator, &issuer, NULL))
+	{
+		if (issuer->get_validity(issuer, NULL, NULL, NULL))
+		{
+			if (lib->credmgr->issued_by(lib->credmgr, ac, issuer, NULL))
+			{
+				verified = TRUE;
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return verified;
+}
+
+/**
+ * Apply AC group membership to auth config
+ */
+static void apply(private_acert_validator_t *this, ac_t *ac, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	ac_group_type_t type;
+	chunk_t chunk;
+
+	enumerator = ac->create_group_enumerator(ac);
+	while (enumerator->enumerate(enumerator, &type, &chunk))
+	{
+		if (type == AC_GROUP_TYPE_STRING)
+		{
+			auth->add(auth, AUTH_RULE_GROUP,
+					  identification_create_from_data(chunk));
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(cert_validator_t, validate, bool,
+	private_acert_validator_t *this, certificate_t *subject,
+	certificate_t *issuer, bool online, u_int pathlen, bool anchor,
+	auth_cfg_t *auth)
+{
+	/* for X.509 end entity certs only */
+	if (pathlen == 0 && subject->get_type(subject) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)subject;
+		enumerator_t *enumerator;
+		identification_t *id, *serial;
+		ac_t *ac;
+
+		/* find attribute certificates by serial and issuer. A lookup by
+		 * the holder DN would work as well, but RFC 5755 recommends the use
+		 * of baseCertificateID. */
+		serial = identification_create_from_encoding(ID_KEY_ID,
+													 x509->get_serial(x509));
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+										CERT_X509_AC, KEY_ANY, serial, FALSE);
+		while (enumerator->enumerate(enumerator, &ac))
+		{
+			id = ac->get_holderIssuer(ac);
+			if (id && id->equals(id, subject->get_issuer(subject)))
+			{
+				if (verify(this, &ac->certificate))
+				{
+					apply(this, ac, auth);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+		serial->destroy(serial);
+	}
+	return TRUE;
+}
+
+METHOD(acert_validator_t, destroy, void,
+	private_acert_validator_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+acert_validator_t *acert_validator_create()
+{
+	private_acert_validator_t *this;
+
+	INIT(this,
+		.public = {
+			.validator.validate = _validate,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/acert/acert_validator.h b/src/libstrongswan/plugins/acert/acert_validator.h
new file mode 100644
index 000000000..507776f18
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/acert_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup acert_validator acert_validator
+ * @{ @ingroup acert
+ */
+
+#ifndef ACERT_VALIDATOR_H_
+#define ACERT_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct acert_validator_t acert_validator_t;
+
+/**
+ * Attribute certificate group membership checking
+ */
+struct acert_validator_t {
+
+	/**
+	 * Implements cert_validator_t interface.
+	 */
+	cert_validator_t validator;
+
+	/**
+	 * Destroy a acert_validator_t.
+	 */
+	void (*destroy)(acert_validator_t *this);
+};
+
+/**
+ * Create a acert_validator instance.
+ */
+acert_validator_t *acert_validator_create();
+
+#endif /** ACERT_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9e91e8671..f9c0750ed 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 4ea1e8f36..08f5e9453 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 150e8d4d4..bfd9f2b6c 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index f13a96421..1e3f69f96 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index ed3f05681..b1e0f160b 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c
index 65eccb2db..6d4b2e13c 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.c
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.c
@@ -343,7 +343,8 @@ METHOD(aead_t, destroy, void,
 /**
  * See header
  */
-ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo,
+							size_t key_size, size_t salt_size)
 {
 	private_ccm_aead_t *this;
 	size_t icv_size;
@@ -360,6 +361,11 @@ ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
 		default:
 			return NULL;
 	}
+	if (salt_size && salt_size != SALT_SIZE)
+	{
+		/* currently not supported */
+		return NULL;
+	}
 	switch (algo)
 	{
 		case ENCR_AES_CCM_ICV8:
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
index 79ab31804..0f1ec09a7 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.h
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -44,8 +44,10 @@ struct ccm_aead_t {
  *
  * @param algo			algorithm to implement, a CCM mode
  * @param key_size		key size in bytes
+ * @param salt_size		size of implicit salt length
  * @return				aead, NULL if not supported
  */
-ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size,
+							size_t salt_size);
 
 #endif /** CCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 620d8359f..a609e7177 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 060287d1c..654800b65 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index ff34435a2..b6789e76d 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index a756a0a7e..67a92b3c2 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index ca79430c9..fb38b0738 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index b94b644c0..6986a8156 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 3bb540d90..71a61f617 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 7bce3c983..dbf9d1169 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c
index ba5f2e4b3..4ab17017f 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.c
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.c
@@ -375,7 +375,8 @@ METHOD(aead_t, destroy, void,
 /**
  * See header
  */
-gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo,
+							size_t key_size, size_t salt_size)
 {
 	private_gcm_aead_t *this;
 	size_t icv_size;
@@ -392,6 +393,11 @@ gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
 		default:
 			return NULL;
 	}
+	if (salt_size && salt_size != SALT_SIZE)
+	{
+		/* currently not supported */
+		return NULL;
+	}
 	switch (algo)
 	{
 		case ENCR_AES_GCM_ICV8:
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
index 846c3c76c..5c09477c3 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.h
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -44,8 +44,10 @@ struct gcm_aead_t {
  *
  * @param algo			algorithm to implement, a gcm mode
  * @param key_size		key size in bytes
+ * @param salt_size		size of implicit salt length
  * @return				aead, NULL if not supported
  */
-gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size,
+							size_t salt_size);
 
 #endif /** GCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 4ce3cf919..731375dcd 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 73e0645b0..6b63e192d 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index f5e38fa90..d255cc95d 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 42093e413..38a478b77 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 7f14fbf8e..bd5bd43f2 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index bdd446cd3..a5caf8df5 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 32aac7bfa..c44893149 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index a35f8051b..fb36d16a2 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 25437bdb8..60e45db7c 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am
index b33cbc8c9..e241554b5 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.am
+++ b/src/libstrongswan/plugins/ntru/Makefile.am
@@ -12,21 +12,15 @@ endif
 
 libstrongswan_ntru_la_SOURCES = \
 	ntru_plugin.h ntru_plugin.c \
+	ntru_convert.h ntru_convert.c \
 	ntru_drbg.h ntru_drbg.c \
 	ntru_ke.h ntru_ke.c \
 	ntru_mgf1.h ntru_mgf1.c \
+	ntru_param_set.h ntru_param_set.c \
 	ntru_poly.h ntru_poly.c \
-	ntru_trits.h ntru_trits.c \
-	ntru_crypto/ntru_crypto.h \
-	ntru_crypto/ntru_crypto_ntru_convert.h \
-	ntru_crypto/ntru_crypto_ntru_convert.c \
-	ntru_crypto/ntru_crypto_ntru_encrypt.c \
-	ntru_crypto/ntru_crypto_ntru_encrypt_key.h \
-	ntru_crypto/ntru_crypto_ntru_encrypt_key.c \
-	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
-	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
-	ntru_crypto/ntru_crypto_ntru_poly.h \
-	ntru_crypto/ntru_crypto_ntru_poly.c
+	ntru_public_key.h ntru_public_key.c \
+	ntru_private_key.h ntru_private_key.c \
+	ntru_trits.h ntru_trits.c
 
 libstrongswan_ntru_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
index af192d203..38258048f 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.in
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -128,14 +128,10 @@ am__uninstall_files_from_dir = { \
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ntru_la_LIBADD =
-am__dirstamp = $(am__leading_dot)dirstamp
-am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_drbg.lo \
-	ntru_ke.lo ntru_mgf1.lo ntru_poly.lo ntru_trits.lo \
-	ntru_crypto/ntru_crypto_ntru_convert.lo \
-	ntru_crypto/ntru_crypto_ntru_encrypt.lo \
-	ntru_crypto/ntru_crypto_ntru_encrypt_key.lo \
-	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo \
-	ntru_crypto/ntru_crypto_ntru_poly.lo
+am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_convert.lo \
+	ntru_drbg.lo ntru_ke.lo ntru_mgf1.lo ntru_param_set.lo \
+	ntru_poly.lo ntru_public_key.lo ntru_private_key.lo \
+	ntru_trits.lo
 libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -377,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -427,21 +422,15 @@ AM_CFLAGS = \
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ntru.la
 libstrongswan_ntru_la_SOURCES = \
 	ntru_plugin.h ntru_plugin.c \
+	ntru_convert.h ntru_convert.c \
 	ntru_drbg.h ntru_drbg.c \
 	ntru_ke.h ntru_ke.c \
 	ntru_mgf1.h ntru_mgf1.c \
+	ntru_param_set.h ntru_param_set.c \
 	ntru_poly.h ntru_poly.c \
-	ntru_trits.h ntru_trits.c \
-	ntru_crypto/ntru_crypto.h \
-	ntru_crypto/ntru_crypto_ntru_convert.h \
-	ntru_crypto/ntru_crypto_ntru_convert.c \
-	ntru_crypto/ntru_crypto_ntru_encrypt.c \
-	ntru_crypto/ntru_crypto_ntru_encrypt_key.h \
-	ntru_crypto/ntru_crypto_ntru_encrypt_key.c \
-	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
-	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
-	ntru_crypto/ntru_crypto_ntru_poly.h \
-	ntru_crypto/ntru_crypto_ntru_poly.c
+	ntru_public_key.h ntru_public_key.c \
+	ntru_private_key.h ntru_private_key.c \
+	ntru_trits.h ntru_trits.c
 
 libstrongswan_ntru_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -524,47 +513,26 @@ clean-pluginLTLIBRARIES:
 	  echo rm -f $${locs}; \
 	  rm -f $${locs}; \
 	}
-ntru_crypto/$(am__dirstamp):
-	@$(MKDIR_P) ntru_crypto
-	@: > ntru_crypto/$(am__dirstamp)
-ntru_crypto/$(DEPDIR)/$(am__dirstamp):
-	@$(MKDIR_P) ntru_crypto/$(DEPDIR)
-	@: > ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_convert.lo: ntru_crypto/$(am__dirstamp) \
-	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_encrypt.lo: ntru_crypto/$(am__dirstamp) \
-	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_encrypt_key.lo:  \
-	ntru_crypto/$(am__dirstamp) \
-	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo:  \
-	ntru_crypto/$(am__dirstamp) \
-	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_poly.lo: ntru_crypto/$(am__dirstamp) \
-	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
 
 libstrongswan-ntru.la: $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_DEPENDENCIES) $(EXTRA_libstrongswan_ntru_la_DEPENDENCIES) 
 	$(AM_V_CCLD)$(libstrongswan_ntru_la_LINK) $(am_libstrongswan_ntru_la_rpath) $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
-	-rm -f ntru_crypto/*.$(OBJEXT)
-	-rm -f ntru_crypto/*.lo
 
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_convert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_drbg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_ke.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_mgf1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_param_set.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_poly.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_trits.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_convert.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_key.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_param_sets.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_poly.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -595,7 +563,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-	-rm -rf ntru_crypto/.libs ntru_crypto/_libs
 
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -712,8 +679,6 @@ clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-	-rm -f ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-	-rm -f ntru_crypto/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -724,7 +689,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
 	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
-	-rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR)
+	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -770,7 +735,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR)
+	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libstrongswan/plugins/ntru/ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_convert.c
new file mode 100644
index 000000000..6330b2e39
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_convert.c
@@ -0,0 +1,452 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "ntru_convert.h"
+
+/**
+ * 3-bit to 2-trit conversion tables: 2 represents -1
+ */
+static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2};
+static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1};
+
+/**
+ * See header.
+ */
+void ntru_bits_2_trits(uint8_t const *octets, uint16_t num_trits, uint8_t *trits)
+{
+	uint32_t bits24, bits3, shift;
+
+	while (num_trits >= 16)
+	{
+		/* get next three octets */
+		bits24  = ((uint32_t)(*octets++)) << 16;
+		bits24 |= ((uint32_t)(*octets++)) <<  8;
+		bits24 |=  (uint32_t)(*octets++);
+
+		/* for each 3 bits in the three octets, output 2 trits */
+		bits3 = (bits24 >> 21) & 0x7;
+		*trits++ = bits_2_trit1[bits3];
+		*trits++ = bits_2_trit2[bits3];
+
+		bits3 = (bits24 >> 18) & 0x7;
+		*trits++ = bits_2_trit1[bits3];
+		*trits++ = bits_2_trit2[bits3];
+
+		bits3 = (bits24 >> 15) & 0x7;
+		*trits++ = bits_2_trit1[bits3];
+		*trits++ = bits_2_trit2[bits3];
+
+		bits3 = (bits24 >> 12) & 0x7;
+		*trits++ = bits_2_trit1[bits3];
+		*trits++ = bits_2_trit2[bits3];
+
+		bits3 = (bits24 >>  9) & 0x7;
+		*trits++ = bits_2_trit1[bits3];
+		*trits++ = bits_2_trit2[bits3];
+
+		bits3 = (bits24 >>  6) & 0x7;
+		*trits++ = bits_2_trit1[bits3];
+		*trits++ = bits_2_trit2[bits3];
+
+		bits3 = (bits24 >>  3) & 0x7;
+		*trits++ = bits_2_trit1[bits3];
+		*trits++ = bits_2_trit2[bits3];
+
+		bits3 = bits24 & 0x7;
+		*trits++ = bits_2_trit1[bits3];
+		*trits++ = bits_2_trit2[bits3];
+
+		num_trits -= 16;
+	}
+	if (num_trits == 0)
+	{
+		return;
+	}
+
+	/* get three octets */
+	bits24  = ((uint32_t)(*octets++)) << 16;
+	bits24 |= ((uint32_t)(*octets++)) <<  8;
+	bits24 |=  (uint32_t)(*octets++);
+
+	shift = 21;
+	while (num_trits)
+	{
+		/**
+		 * for each 3 bits in the three octets, output up to 2 trits
+		 * until all trits needed are produced
+		 */
+		bits3 = (bits24 >> shift) & 0x7;
+		shift -= 3;
+		*trits++ = bits_2_trit1[bits3];
+		if (--num_trits)
+		{
+			*trits++ = bits_2_trit2[bits3];
+			--num_trits;
+		}
+	}
+}
+
+/**
+ * See header.
+ */
+bool ntru_trits_2_bits(uint8_t const *trits, uint32_t num_trits, uint8_t *octets)
+{
+	bool all_trits_valid = TRUE;
+	uint32_t bits24, bits3, shift;
+
+	while (num_trits >= 16)
+	{
+		/* convert each 2 trits to 3 bits and pack */
+		bits3  = *trits++ * 3;
+		bits3 += *trits++;
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 = (bits3 << 21);
+
+		bits3  = *trits++ * 3;
+		bits3 += *trits++;
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 |= (bits3 << 18);
+
+		bits3  = *trits++ * 3;
+		bits3 += *trits++;
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 |= (bits3 << 15);
+
+		bits3  = *trits++ * 3;
+		bits3 += *trits++;
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 |= (bits3 << 12);
+
+		bits3  = *trits++ * 3;
+		bits3 += *trits++;
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 |= (bits3 <<  9);
+
+		bits3  = *trits++ * 3;
+		bits3 += *trits++;
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 |= (bits3 <<  6);
+
+		bits3  = *trits++ * 3;
+		bits3 += *trits++;
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 |= (bits3 <<  3);
+
+		bits3  = *trits++ * 3;
+		bits3 += *trits++;
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 |= bits3;
+
+		num_trits -= 16;
+
+		/* output three octets */
+		*octets++ = (uint8_t)((bits24 >> 16) & 0xff);
+		*octets++ = (uint8_t)((bits24 >>  8) & 0xff);
+		*octets++ = (uint8_t)(bits24 & 0xff);
+	}
+
+	bits24 = 0;
+	shift = 21;
+	while (num_trits)
+	{
+		/* convert each 2 trits to 3 bits and pack */
+		bits3 = *trits++ * 3;
+		if (--num_trits)
+		{
+			bits3 += *trits++;
+			--num_trits;
+		}
+		if (bits3 > 7)
+		{
+			bits3 = 7;
+			all_trits_valid = FALSE;
+		}
+		bits24 |= (bits3 << shift);
+		shift -= 3;
+	}
+
+	/* output three octets */
+	*octets++ = (uint8_t)((bits24 >> 16) & 0xff);
+	*octets++ = (uint8_t)((bits24 >>  8) & 0xff);
+	*octets++ = (uint8_t)(bits24 & 0xff);
+
+	return all_trits_valid;
+}
+
+/**
+ * See header
+ */
+void ntru_coeffs_mod4_2_octets(uint16_t num_coeffs, uint16_t const *coeffs, uint8_t *octets)
+{
+    uint8_t bits2;
+    int shift, i;
+
+	*octets = 0;
+	shift = 6;
+	for (i = 0; i < num_coeffs; i++)
+	{
+		bits2 = (uint8_t)(coeffs[i] & 0x3);
+		*octets |= bits2 << shift;
+		shift -= 2;
+		if (shift < 0)
+		{
+			++octets;
+			*octets = 0;
+			shift = 6;
+		}
+	}
+}
+
+/**
+ * See header.
+ */
+void ntru_trits_2_octet(uint8_t const *trits, uint8_t *octet)
+{
+	int i;
+
+	*octet = 0;
+	for (i = 4; i >= 0; i--)
+	{
+		*octet = (*octet * 3) + trits[i];
+	}
+}
+
+/**
+ * See header.
+ */
+void ntru_octet_2_trits(uint8_t octet, uint8_t *trits)
+{
+	int i;
+
+	for (i = 0; i < 5; i++)
+	{
+		trits[i] = octet % 3;
+		octet = (octet - trits[i]) / 3;
+	}
+}
+
+/**
+ * See header.
+ */
+void ntru_indices_2_trits(uint16_t in_len, uint16_t const *in, bool plus1,
+						  uint8_t *out)
+{
+	uint8_t trit = plus1 ? 1 : 2;
+	int  i;
+
+    for (i = 0; i < in_len; i++)
+	{
+		out[in[i]] = trit;
+	}
+}
+
+/**
+ * See header.
+ */
+void ntru_packed_trits_2_indices(uint8_t const *in, uint16_t num_trits,
+								 uint16_t *indices_plus1,
+								 uint16_t *indices_minus1)
+{
+	uint8_t trits[5];
+	uint16_t i = 0;
+	int j;
+
+	while (num_trits >= 5)
+	{
+		ntru_octet_2_trits(*in++, trits);
+		num_trits -= 5;
+		for (j = 0; j < 5; j++, i++)
+		{
+			if (trits[j] == 1)
+			{
+				*indices_plus1 = i;
+				++indices_plus1;
+			}
+			else if (trits[j] == 2)
+			{
+				*indices_minus1 = i;
+				++indices_minus1;
+			}
+		}
+    }
+	if (num_trits)
+	{
+		ntru_octet_2_trits(*in, trits);
+		for (j = 0; num_trits && (j < 5); j++, i++)
+		{
+			if (trits[j] == 1)
+			{
+				*indices_plus1 = i;
+				++indices_plus1;
+			}
+			else if (trits[j] == 2)
+			{
+				*indices_minus1 = i;
+				++indices_minus1;
+			}
+			--num_trits;
+		}
+	}
+}
+
+/**
+ * See header.
+ */
+void ntru_indices_2_packed_trits(uint16_t const *indices, uint16_t num_plus1,
+								 uint16_t num_minus1, uint16_t num_trits,
+								 uint8_t *buf, uint8_t *out)
+{
+	/* convert indices to an array of trits */
+	memset(buf, 0, num_trits);
+	ntru_indices_2_trits(num_plus1, indices, TRUE, buf);
+	ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf);
+
+	/* pack the array of trits */
+	while (num_trits >= 5)
+	{
+		ntru_trits_2_octet(buf, out);
+		num_trits -= 5;
+		buf += 5;
+		++out;
+	}
+	if (num_trits)
+	{
+		uint8_t trits[5];
+
+		memcpy(trits, buf, num_trits);
+		memset(trits + num_trits, 0, sizeof(trits) - num_trits);
+		ntru_trits_2_octet(trits, out);
+	}
+}
+
+/**
+ * See header
+ */
+void ntru_elements_2_octets(uint16_t in_len, uint16_t const *in, uint8_t n_bits,
+							uint8_t *out)
+{
+	uint16_t temp;
+	int shift, i;
+
+	/* pack */
+	temp = 0;
+	shift = n_bits - 8;
+	i = 0;
+	while (i < in_len)
+	{
+		/* add bits to temp to fill an octet and output the octet */
+		temp |= in[i] >> shift;
+		*out++ = (uint8_t)(temp & 0xff);
+		shift = 8 - shift;
+		if (shift < 1)
+		{
+			/* next full octet is in current input word */
+			shift += n_bits;
+			temp = 0;
+		}
+		else
+		{
+			/* put remaining bits of input word in temp as partial octet,
+			 * and increment index to next input word
+			 */
+			temp = in[i] << (uint16_t)shift;
+			++i;
+		}
+		shift = n_bits - shift;
+	}
+
+	/* output any bits remaining in last input word */
+	if (shift != n_bits - 8)
+	{
+		*out++ = (uint8_t)(temp & 0xff);
+	}
+}
+
+
+/**
+ * See header.
+ */
+void ntru_octets_2_elements(uint16_t in_len, uint8_t const *in, uint8_t n_bits,
+							uint16_t *out)
+{
+	uint16_t  temp;
+	uint16_t  mask = (1 << n_bits) - 1;
+	int shift, i;
+
+	/* unpack */
+	temp = 0;
+	shift = n_bits;
+	i = 0;
+	while (i < in_len)
+	{
+		shift = 8 - shift;
+		if (shift < 0)
+		{
+			/* the current octet will not fill the current element */
+			shift += n_bits;
+		}
+		else
+		{
+			/* add bits from the current octet to fill the current element and
+			 * output the element
+			 */
+			temp |= ((uint16_t)in[i]) >> shift;
+			*out++ = temp & mask;
+			temp = 0;
+		}
+
+		/* add the remaining bits of the current octet to start an element */
+		shift = n_bits - shift;
+		temp |= ((uint16_t)in[i]) << shift;
+		++i;
+	}
+}
diff --git a/src/libstrongswan/plugins/ntru/ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_convert.h
new file mode 100644
index 000000000..31594b1f6
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_convert.h
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_convert ntru_convert
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_CONVERT_H_
+#define NTRU_CONVERT_H_
+
+#include <library.h>
+
+/**
+ * Each 3 bits in an array of octets is converted to 2 trits in an array
+ * of trits.
+ *
+ * @param octets		pointer to array of octets
+ * @param num_trits		number of trits to produce
+ * @param trits			address for array of trits
+ */
+void ntru_bits_2_trits(uint8_t const *octets, uint16_t num_trits,
+					   uint8_t *trits);
+
+/**
+ * Each 2 trits in an array of trits is converted to 3 bits, and the bits
+ * are packed in an array of octets.  A multiple of 3 octets is output.
+ * Any bits in the final octets not derived from trits are zero.
+ *
+ * @param trits				pointer to array of trits
+ * @param num_trits			number of trits to convert
+ * @param octets			address for array of octets
+ * @return					TRUE if all trits were valid
+ *                     		FALSE if invalid trits were found
+ */
+bool ntru_trits_2_bits(uint8_t const *trits, uint32_t num_trits,
+					   uint8_t *octets);
+
+/**
+ * Takes an array of coefficients mod 4 and packs the results into an
+ * octet string.
+ *
+ * @param num_coeffs		number of coefficients
+ * @param coeffs			pointer to coefficients
+ * @param octets			address for octets
+ */
+void ntru_coeffs_mod4_2_octets(uint16_t num_coeffs, uint16_t const *coeffs,
+							   uint8_t *octets);
+
+/**
+ * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
+ *
+ * @param trits				pointer to trits
+ * @param octet				address for octet
+ */
+void ntru_trits_2_octet(uint8_t const *trits, uint8_t *octet);
+
+/**
+ * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
+ *
+ * @param octet				octet to be unpacked
+ * @param trits				address for trits
+ */
+void ntru_octet_2_trits(uint8_t  octet, uint8_t *trits);
+
+/**
+ *
+ * Converts a list of the nonzero indices of a polynomial into an array of
+ * trits.
+ *
+ * @param in_len			no. of indices
+ * @param in				pointer to list of indices
+ * @param plus1				if list is +1 coefficients
+ * @param out				address of output polynomial
+ */
+void ntru_indices_2_trits(uint16_t in_len, uint16_t const *in, bool plus1,
+						  uint8_t *out);
+
+/**
+ * Unpacks an array of N trits and creates a list of array indices 
+ * corresponding to trits = +1, and list of array indices corresponding to
+ * trits = -1.
+ *
+ * @param in				pointer to packed-trit octets
+ * @param num_trits			no. of packed trits
+ * @param indices_plus1		address for indices of +1 trits
+ * @param indices_minus1	address for indices of -1 trits
+ */
+void ntru_packed_trits_2_indices(uint8_t const *in, uint16_t num_trits,
+								 uint16_t *indices_plus1,
+								 uint16_t *indices_minus1);
+
+/**
+ * Takes a list of array indices corresponding to elements whose values
+ * are +1 or -1, and packs the N-element array of trits described by these
+ * lists into octets, 5 trits per octet.
+ *
+ * @param indices			pointer to indices
+ * @param num_plus1			no. of indices for +1 trits
+ * @param num_minus1		no. of indices for -1 trits
+ * @param num_trits			N, no. of trits in array
+ * @param buf				temp buf, N octets
+ * @param out				address for packed octet
+ */
+void ntru_indices_2_packed_trits(uint16_t const *indices, uint16_t num_plus1,
+								 uint16_t num_minus1, uint16_t num_trits,
+								 uint8_t *buf, uint8_t *out);
+
+/**
+ * Packs an array of n-bit elements into an array of
+ * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
+ *
+ * @param in_len			no. of elements to be packed
+ * @param in				ptr to elements to be packed
+ * @param n_bits			no. of bits in input element
+ * @param out				addr for output octets
+ */
+void ntru_elements_2_octets(uint16_t in_len, uint16_t const *in, uint8_t n_bits,
+							uint8_t *out);
+
+/**
+ * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
+ * n-bit elements, 8 < n < 16.  Any extra bits are discarded.
+ *
+ * @param in_len			no. of octets to be unpacked
+ * @param in				ptr to octets to be unpacked
+ * @param n_bits			no. of bits in output element
+ * @param out				addr for output elements
+ */
+void ntru_octets_2_elements(uint16_t in_len, uint8_t const *in, uint8_t n_bits,
+							uint16_t *out);
+
+#endif /** NTRU_CONVERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
deleted file mode 100644
index 72f47035e..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
+++ /dev/null
@@ -1,235 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
- 
-/******************************************************************************
- *
- * File: ntru_crypto.h
- *
- * Contents: Public header file for NTRUEncrypt.
- *
- *****************************************************************************/
-
-#ifndef NTRU_CRYPTO_H
-#define NTRU_CRYPTO_H
-
-#include <library.h>
-
-#include "ntru_drbg.h"
-
-#if !defined( NTRUCALL )
-  #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
-    // Linux, or a Win32 static library
-    #define NTRUCALL extern uint32_t
-  #elif defined (NTRUCRYPTO_EXPORTS)
-    // Win32 DLL build
-    #define NTRUCALL extern __declspec(dllexport) uint32_t
-  #else
-    // Win32 DLL import
-    #define NTRUCALL extern __declspec(dllimport) uint32_t
-  #endif
-#endif /* NTRUCALL */
-
-/* parameter set ID list */
-
-typedef enum _NTRU_ENCRYPT_PARAM_SET_ID {
-    NTRU_EES401EP1,
-    NTRU_EES449EP1,
-    NTRU_EES677EP1,
-    NTRU_EES1087EP2,
-    NTRU_EES541EP1,
-    NTRU_EES613EP1,
-    NTRU_EES887EP1,
-    NTRU_EES1171EP1,
-    NTRU_EES659EP1,
-    NTRU_EES761EP1,
-    NTRU_EES1087EP1,
-    NTRU_EES1499EP1,
-    NTRU_EES401EP2,
-    NTRU_EES439EP1,
-    NTRU_EES593EP1,
-    NTRU_EES743EP1,
-} NTRU_ENCRYPT_PARAM_SET_ID;
-
-
-/* error codes */
-
-#define NTRU_OK                     0
-#define NTRU_FAIL                   1
-#define NTRU_BAD_PARAMETER          2
-#define NTRU_BAD_LENGTH             3
-#define NTRU_BUFFER_TOO_SMALL       4
-#define NTRU_INVALID_PARAMETER_SET  5
-#define NTRU_BAD_PUBLIC_KEY         6
-#define NTRU_BAD_PRIVATE_KEY        7
-#define NTRU_OUT_OF_MEMORY          8
-#define NTRU_BAD_ENCODING           9
-#define NTRU_OID_NOT_RECOGNIZED    10
-#define NTRU_DRBG_FAIL             11
-#define NTRU_MGF1_FAIL             12
-
-/* function declarations */
-
-/* ntru_crypto_ntru_encrypt
- *
- * Implements NTRU encryption (SVES) for the parameter set specified in
- * the public key blob.
- *
- * Before invoking this function, a DRBG must be instantiated using
- * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
- * instantiation the requested security strength must be at least as large
- * as the security strength of the NTRU parameter set being used.
- * Failure to instantiate the DRBG with the proper security strength will
- * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH.
- *
- * The required minimum size of the output ciphertext buffer (ct) may be
- * queried by invoking this function with ct = NULL.  In this case, no
- * encryption is performed, NTRU_OK is returned, and the required minimum
- * size for ct is returned in ct_len.
- *
- * When ct != NULL, at invocation *ct_len must be the size of the ct buffer.
- * Upon return it is the actual size of the ciphertext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is
- *  zero, or if pt_len exceeds the maximum plaintext length for the parameter set.
- * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid
- *  (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- */
-
-NTRUCALL
-ntru_crypto_ntru_encrypt(
-    ntru_drbg_t     *drbg      ,     /*     in - handle for DRBG */
-    uint16_t        pubkey_blob_len, /*     in - no. of octets in public key
-                                                 blob */
-    uint8_t const  *pubkey_blob,     /*     in - pointer to public key */
-    uint16_t        pt_len,          /*     in - no. of octets in plaintext */
-    uint8_t const  *pt,              /*     in - pointer to plaintext */
-    uint16_t       *ct_len,          /* in/out - no. of octets in ct, addr for
-                                                 no. of octets in ciphertext */
-    uint8_t        *ct);             /*    out - address for ciphertext */
-
-
-/* ntru_crypto_ntru_decrypt
- *
- * Implements NTRU decryption (SVES) for the parameter set specified in
- * the private key blob.
- *
- * The maximum size of the output plaintext may be queried by invoking
- * this function with pt = NULL.  In this case, no decryption is performed,
- * NTRU_OK is returned, and the maximum size the plaintext could be is
- * returned in pt_len.
- * Note that until the decryption is performed successfully, the actual size
- * of the resulting plaintext cannot be known.
- *
- * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
- * Upon return it is the actual size of the plaintext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
- *  ct_len is invalid for the parameter set.
- * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
- *  (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if a decryption error occurs.
- */
-
-NTRUCALL
-ntru_crypto_ntru_decrypt(
-    uint16_t       privkey_blob_len, /*     in - no. of octets in private key
-                                                 blob */
-    uint8_t const *privkey_blob,     /*     in - pointer to private key */
-    uint16_t       ct_len,           /*     in - no. of octets in ciphertext */
-    uint8_t const *ct,               /*     in - pointer to ciphertext */
-    uint16_t      *pt_len,           /* in/out - no. of octets in pt, addr for
-                                                 no. of octets in plaintext */
-    uint8_t       *pt);              /*    out - address for plaintext */
-
-
-/* ntru_crypto_ntru_encrypt_keygen
- *
- * Implements key generation for NTRUEncrypt for the parameter set specified.
- *
- * Before invoking this function, a DRBG must be instantiated using
- * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
- * instantiation the requested security strength must be at least as large
- * as the security strength of the NTRU parameter set being used.
- * Failure to instantiate the DRBG with the proper security strength will
- * result in this function returning NTRU_DRBG_FAIL.
- *
- * The required minimum size of the output public-key buffer (pubkey_blob)
- * may be queried by invoking this function with pubkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
- *
- * The required minimum size of the output private-key buffer (privkey_blob)
- * may be queried by invoking this function with privkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for privkey_blob is returned in privkey_blob_len.
- *
- * The required minimum sizes of both pubkey_blob and privkey_blob may be
- * queried as described above, in a single invocation of this function.
- *
- * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
- * *pubkey_blob_len must be the size of the pubkey_blob buffer and
- * *privkey_blob_len must be the size of the privkey_blob buffer.
- * Upon return, *pubkey_blob_len is the actual size of the public-key blob
- * and *privkey_blob_len is the actual size of the private-key blob.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob
- * or privkey_blob) is NULL.
- * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
- * Returns NTRU_BAD_LENGTH if a length argument is invalid.
- * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
- *  privkey_blob buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
- *  (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
- *  Should this occur, this function should simply be invoked again.
- */
-
-NTRUCALL
-ntru_crypto_ntru_encrypt_keygen(
-    ntru_drbg_t               *drbg,             /*     in - handle of DRBG */
-    NTRU_ENCRYPT_PARAM_SET_ID  param_set_id,     /*     in - parameter set ID */
-    uint16_t                  *pubkey_blob_len,  /* in/out - no. of octets in
-                                                             pubkey_blob, addr
-                                                             for no. of octets
-                                                             in pubkey_blob */
-    uint8_t                   *pubkey_blob,      /*    out - address for
-                                                             public key blob */
-    uint16_t                  *privkey_blob_len, /* in/out - no. of octets in
-                                                             privkey_blob, addr
-                                                             for no. of octets
-                                                             in privkey_blob */
-    uint8_t                   *privkey_blob);    /*    out - address for
-                                                             private key blob */
-#endif /* NTRU_CRYPTO_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c
deleted file mode 100644
index 3d6dfde41..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c
+++ /dev/null
@@ -1,581 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_convert.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_convert.c
- *
- * Contents: Conversion routines for NTRUEncrypt, including packing, unpacking,
- *           and others.
- *
- *****************************************************************************/
-
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include "ntru_crypto_ntru_convert.h"
-
-
-/* 3-bit to 2-trit conversion tables: 2 represents -1 */
-
-static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2};
-static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1};
-
-
-/* ntru_bits_2_trits
- *
- * Each 3 bits in an array of octets is converted to 2 trits in an array
- * of trits.
- *
- * The octet array may overlap the end of the trit array.
- */
-
-void
-ntru_bits_2_trits(
-    uint8_t const *octets,          /*  in - pointer to array of octets */
-    uint16_t       num_trits,       /*  in - number of trits to produce */
-    uint8_t       *trits)           /* out - address for array of trits */
-{
-    uint32_t bits24;
-    uint32_t bits3;
-    uint32_t shift;
-
-    assert(octets);
-    assert(trits);
-
-    while (num_trits >= 16) {
-
-        /* get next three octets */
-
-        bits24  = ((uint32_t)(*octets++)) << 16;
-        bits24 |= ((uint32_t)(*octets++)) <<  8;
-        bits24 |=  (uint32_t)(*octets++);
-
-        /* for each 3 bits in the three octets, output 2 trits */
-
-        bits3 = (bits24 >> 21) & 0x7;
-        *trits++ = bits_2_trit1[bits3];
-        *trits++ = bits_2_trit2[bits3];
-
-        bits3 = (bits24 >> 18) & 0x7;
-        *trits++ = bits_2_trit1[bits3];
-        *trits++ = bits_2_trit2[bits3];
-
-        bits3 = (bits24 >> 15) & 0x7;
-        *trits++ = bits_2_trit1[bits3];
-        *trits++ = bits_2_trit2[bits3];
-
-        bits3 = (bits24 >> 12) & 0x7;
-        *trits++ = bits_2_trit1[bits3];
-        *trits++ = bits_2_trit2[bits3];
-
-        bits3 = (bits24 >>  9) & 0x7;
-        *trits++ = bits_2_trit1[bits3];
-        *trits++ = bits_2_trit2[bits3];
-
-        bits3 = (bits24 >>  6) & 0x7;
-        *trits++ = bits_2_trit1[bits3];
-        *trits++ = bits_2_trit2[bits3];
-
-        bits3 = (bits24 >>  3) & 0x7;
-        *trits++ = bits_2_trit1[bits3];
-        *trits++ = bits_2_trit2[bits3];
-
-        bits3 = bits24 & 0x7;
-        *trits++ = bits_2_trit1[bits3];
-        *trits++ = bits_2_trit2[bits3];
-
-        num_trits -= 16;
-    }
-    if (num_trits == 0)
-        return;
-
-    /* get three octets */
-
-    bits24  = ((uint32_t)(*octets++)) << 16;
-    bits24 |= ((uint32_t)(*octets++)) <<  8;
-    bits24 |=  (uint32_t)(*octets++);
-
-    shift = 21;
-    while (num_trits) {
-
-        /* for each 3 bits in the three octets, output up to 2 trits
-         * until all trits needed are produced
-         */
-
-        bits3 = (bits24 >> shift) & 0x7;
-        shift -= 3;
-        *trits++ = bits_2_trit1[bits3];
-        if (--num_trits) {
-            *trits++ = bits_2_trit2[bits3];
-            --num_trits;
-        }
-    }
-}
-
-
-/* ntru_trits_2_bits
- *
- * Each 2 trits in an array of trits is converted to 3 bits, and the bits
- * are packed in an array of octets.  A multiple of 3 octets is output.
- * Any bits in the final octets not derived from trits are zero.
- *
- * Returns TRUE if all trits were valid.
- * Returns FALSE if invalid trits were found.
- */
-
-bool
-ntru_trits_2_bits(
-    uint8_t const *trits,           /*  in - pointer to array of trits */
-    uint32_t       num_trits,       /*  in - number of trits to convert */
-    uint8_t       *octets)          /* out - address for array of octets */
-{
-    bool     all_trits_valid = TRUE;
-    uint32_t bits24;
-    uint32_t bits3;
-    uint32_t shift;
-
-    assert(octets);
-    assert(trits);
-
-    while (num_trits >= 16) {
-
-        /* convert each 2 trits to 3 bits and pack */
-
-        bits3  = *trits++ * 3;
-        bits3 += *trits++;
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 = (bits3 << 21);
-
-        bits3  = *trits++ * 3;
-        bits3 += *trits++;
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 |= (bits3 << 18);
-
-        bits3  = *trits++ * 3;
-        bits3 += *trits++;
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 |= (bits3 << 15);
-
-        bits3  = *trits++ * 3;
-        bits3 += *trits++;
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 |= (bits3 << 12);
-
-        bits3  = *trits++ * 3;
-        bits3 += *trits++;
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 |= (bits3 <<  9);
-
-        bits3  = *trits++ * 3;
-        bits3 += *trits++;
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 |= (bits3 <<  6);
-
-        bits3  = *trits++ * 3;
-        bits3 += *trits++;
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 |= (bits3 <<  3);
-
-        bits3  = *trits++ * 3;
-        bits3 += *trits++;
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 |= bits3;
-
-        num_trits -= 16;
-
-        /* output three octets */
-
-        *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
-        *octets++ = (uint8_t)((bits24 >>  8) & 0xff);
-        *octets++ = (uint8_t)(bits24 & 0xff);
-    }
-
-    bits24 = 0;
-    shift = 21;
-    while (num_trits) {
-
-        /* convert each 2 trits to 3 bits and pack */
-
-        bits3 = *trits++ * 3;
-        if (--num_trits) {
-            bits3 += *trits++;
-            --num_trits;
-        }
-        if (bits3 > 7) {
-            bits3 = 7;
-            all_trits_valid = FALSE;
-        }
-        bits24 |= (bits3 << shift);
-        shift -= 3;
-    }
-
-    /* output three octets */
-
-    *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
-    *octets++ = (uint8_t)((bits24 >>  8) & 0xff);
-    *octets++ = (uint8_t)(bits24 & 0xff);
-
-    return all_trits_valid;
-}
-
-
-/* ntru_coeffs_mod4_2_octets
- *
- * Takes an array of ring element coefficients mod 4 and packs the
- * results into an octet string.
- */
-
-void
-ntru_coeffs_mod4_2_octets(
-    uint16_t        num_coeffs,     /*  in - number of coefficients */
-    uint16_t const *coeffs,         /*  in - pointer to coefficients */
-    uint8_t        *octets)         /* out - address for octets */
-{
-    uint8_t  bits2;
-    int      shift;
-    uint16_t i;
-
-    assert(coeffs);
-    assert(octets);
-
-    *octets = 0;
-    shift = 6;
-    for (i = 0; i < num_coeffs; i++) {
-        bits2 = (uint8_t)(coeffs[i] & 0x3);
-        *octets |= bits2 << shift;
-        shift -= 2;
-        if (shift < 0) {
-            ++octets;
-            *octets = 0;
-            shift = 6;
-        }
-    }
-}
-
-
-/* ntru_trits_2_octet
- *
- * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
- */
-
-void
-ntru_trits_2_octet(
-    uint8_t const *trits,           /*  in - pointer to trits */
-    uint8_t *octet)                 /* out - address for octet */
-{
-    int i;
-
-    assert(trits);
-    assert(octet);
-
-    *octet = 0;
-    for (i = 4; i >= 0; i--) {
-        *octet = (*octet * 3) + trits[i];
-    }
-}
-
-
-/* ntru_octet_2_trits
- *
- * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
- */
-
-void
-ntru_octet_2_trits(
-    uint8_t  octet,                 /*  in - octet to be unpacked */
-    uint8_t *trits)                 /* out - address for trits */
-{
-    int i;
-
-    assert(trits);
-
-    for (i = 0; i < 5; i++) {
-        trits[i] = octet % 3;
-        octet = (octet - trits[i]) / 3;
-    }
-}
-
-
-/* ntru_indices_2_trits
- *
- * Converts a list of the nonzero indices of a polynomial into an array of
- * trits.
- */
-
-void
-ntru_indices_2_trits(
-    uint16_t        in_len,         /*  in - no. of indices */
-    uint16_t const *in,             /*  in - pointer to list of indices */
-    bool            plus1,          /*  in - if list is +1 cofficients */
-    uint8_t        *out)            /* out - address of output polynomial */
-{
-    uint8_t     trit = plus1 ? 1 : 2;
-    uint16_t    i;
-
-    assert(in);
-    assert(out);
-
-    for (i = 0; i < in_len; i++) {
-        out[in[i]] = trit;
-    }
-}
-
-
-/* ntru_packed_trits_2_indices
- *
- * Unpacks an array of N trits and creates a list of array indices 
- * corresponding to trits = +1, and list of array indices corresponding to
- * trits = -1.
- */
-
-void
-ntru_packed_trits_2_indices(
-    uint8_t const *in,              /*  in - pointer to packed-trit octets */
-    uint16_t       num_trits,       /*  in - no. of packed trits */
-    uint16_t      *indices_plus1,   /* out - address for indices of +1 trits */
-    uint16_t      *indices_minus1)  /* out - address for indices of -1 trits */
-{
-    uint8_t  trits[5];
-    uint16_t i = 0;
-    int      j;
-
-    assert(in);
-    assert(indices_plus1);
-    assert(indices_minus1);
-
-    while (num_trits >= 5) {
-        ntru_octet_2_trits(*in++, trits);
-        num_trits -= 5;
-        for (j = 0; j < 5; j++, i++) {
-            if (trits[j] == 1) {
-                *indices_plus1 = i;
-                ++indices_plus1;
-            } else if (trits[j] == 2) {
-                *indices_minus1 = i;
-                ++indices_minus1;
-            }
-        }
-    }
-    if (num_trits) {
-        ntru_octet_2_trits(*in, trits);
-        for (j = 0; num_trits && (j < 5); j++, i++) {
-            if (trits[j] == 1) {
-                *indices_plus1 = i;
-                ++indices_plus1;
-            } else if (trits[j] == 2) {
-                *indices_minus1 = i;
-                ++indices_minus1;
-            }
-            --num_trits;
-        }
-    }
-}
-
-
-/* ntru_indices_2_packed_trits
- *
- * Takes a list of array indices corresponding to elements whose values
- * are +1 or -1, and packs the N-element array of trits described by these
- * lists into octets, 5 trits per octet.
- */
-
-void
-ntru_indices_2_packed_trits(
-    uint16_t const *indices,        /*  in - pointer to indices */
-    uint16_t        num_plus1,      /*  in - no. of indices for +1 trits */
-    uint16_t        num_minus1,     /*  in - no. of indices for -1 trits */
-    uint16_t        num_trits,      /*  in - N, no. of trits in array */
-    uint8_t        *buf,            /*  in - temp buf, N octets */
-    uint8_t        *out)            /* out - address for packed octets */
-{
-    assert(indices);
-    assert(buf);
-    assert(out);
-
-    /* convert indices to an array of trits */
-
-    memset(buf, 0, num_trits);
-    ntru_indices_2_trits(num_plus1, indices, TRUE, buf);
-    ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf);
-
-    /* pack the array of trits */
-
-    while (num_trits >= 5) {
-        ntru_trits_2_octet(buf, out);
-        num_trits -= 5;
-        buf += 5;
-        ++out;
-    }
-    if (num_trits) {
-        uint8_t trits[5];
-
-        memcpy(trits, buf, num_trits);
-        memset(trits + num_trits, 0, sizeof(trits) - num_trits);
-        ntru_trits_2_octet(trits, out);
-    }
-}
-
-
-/* ntru_elements_2_octets
- *
- * Packs an array of n-bit elements into an array of
- * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
- */
-
-void
-ntru_elements_2_octets(
-    uint16_t        in_len,         /*  in - no. of elements to be packed */
-    uint16_t const *in,             /*  in - ptr to elements to be packed */
-    uint8_t         n_bits,         /*  in - no. of bits in input element */
-    uint8_t        *out)            /* out - addr for output octets */
-{
-    uint16_t  temp;
-    int       shift;
-    uint16_t  i;
-
-    assert(in_len);
-    assert(in);
-    assert((n_bits > 8) && (n_bits < 16));
-    assert(out);
-
-    /* pack */
-
-    temp = 0;
-    shift = n_bits - 8;
-    i = 0;
-    while (i < in_len) {
-
-        /* add bits to temp to fill an octet and output the octet */
-
-        temp |= in[i] >> shift;
-        *out++ = (uint8_t)(temp & 0xff);
-        shift = 8 - shift;
-        if (shift < 1) {
-
-            /* next full octet is in current input word */
-
-            shift += n_bits;
-            temp = 0;
-
-        } else {
-
-            /* put remaining bits of input word in temp as partial octet,
-             * and increment index to next input word
-             */
-            temp = in[i] << (uint16_t)shift;
-
-            ++i;
-        }
-        shift = n_bits - shift;
-    }
-
-    /* output any bits remaining in last input word */
-
-    if (shift != n_bits - 8) {
-        *out++ = (uint8_t)(temp & 0xff);
-    }
-}
-
-
-/* ntru_octets_2_elements
- *
- * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
- * n-bit elements, 8 < n_bits < 16.  Any extra bits are discarded.
- */
-
-void
-ntru_octets_2_elements(
-    uint16_t        in_len,         /*  in - no. of octets to be unpacked */
-    uint8_t const  *in,             /*  in - ptr to octets to be unpacked */
-    uint8_t         n_bits,         /*  in - no. of bits in output element */
-    uint16_t       *out)            /* out - addr for output elements */
-{
-    uint16_t  temp;
-    uint16_t  mask = (1 << n_bits) - 1;
-    int       shift;
-    uint16_t  i;
-
-    assert(in_len > 1);
-    assert(in);
-    assert((n_bits > 8) && (n_bits < 16));
-    assert(out);
-
-    /* unpack */
-
-    temp = 0;
-    shift = n_bits;
-    i = 0;
-    while (i < in_len) {
-        shift = 8 - shift;
-        if (shift < 0) {
-
-            /* the current octet will not fill the current element */
-
-            shift += n_bits;
-
-        } else {
-
-            /* add bits from the current octet to fill the current element and
-             * output the element
-             */
-
-            temp |= ((uint16_t)in[i]) >> shift;
-            *out++ = temp & mask;
-            temp = 0;
-        }
-
-        /* add the remaining bits of the current octet to start an element */
-
-        shift = n_bits - shift;
-        temp |= ((uint16_t)in[i]) << shift;
-        ++i;
-    }
-}
-
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h
deleted file mode 100644
index 1c4b35b24..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h
+++ /dev/null
@@ -1,183 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_convert.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_convert.h
- *
- * Contents: Definitions and declarations for conversion routines
- *           for NTRUEncrypt, including packing, unpacking and others.
- *
- *****************************************************************************/
-
-#ifndef NTRU_CRYPTO_NTRU_CONVERT_H
-#define NTRU_CRYPTO_NTRU_CONVERT_H
-
-#include "ntru_crypto.h"
-
-
-/* function declarations */
-
-/* ntru_bits_2_trits
- *
- * Each 3 bits in an array of octets is converted to 2 trits in an array
- * of trits.
- */
-
-extern void
-ntru_bits_2_trits(
-    uint8_t const *octets,          /*  in - pointer to array of octets */
-    uint16_t       num_trits,       /*  in - number of trits to produce */
-    uint8_t       *trits);          /* out - address for array of trits */
-
-
-/* ntru_trits_2_bits
- *
- * Each 2 trits in an array of trits is converted to 3 bits, and the bits
- * are packed in an array of octets.  A multiple of 3 octets is output.
- * Any bits in the final octets not derived from trits are zero.
- *
- * Returns TRUE if all trits were valid.
- * Returns FALSE if invalid trits were found.
- */
-
-extern bool
-ntru_trits_2_bits(
-    uint8_t const *trits,           /*  in - pointer to array of trits */
-    uint32_t       num_trits,       /*  in - number of trits to convert */
-    uint8_t       *octets);         /* out - address for array of octets */
-
-
-/* ntru_coeffs_mod4_2_octets
- *
- * Takes an array of coefficients mod 4 and packs the results into an
- * octet string.
- */
-
-extern void
-ntru_coeffs_mod4_2_octets(
-    uint16_t        num_coeffs,     /*  in - number of coefficients */
-    uint16_t const *coeffs,         /*  in - pointer to coefficients */
-    uint8_t        *octets);        /* out - address for octets */
-
-
-/* ntru_trits_2_octet
- *
- * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
- */
-
-extern void
-ntru_trits_2_octet(
-    uint8_t const *trits,           /*  in - pointer to trits */
-    uint8_t *octet);                /* out - address for octet */
-
-
-/* ntru_octet_2_trits
- *
- * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
- */
-
-extern void
-ntru_octet_2_trits(
-    uint8_t  octet,                 /*  in - octet to be unpacked */
-    uint8_t *trits);                /* out - address for trits */
-
-
-/* ntru_indices_2_trits
- *
- * Converts a list of the nonzero indices of a polynomial into an array of
- * trits.
- */
-
-extern void
-ntru_indices_2_trits(
-    uint16_t        in_len,         /*  in - no. of indices */
-    uint16_t const *in,             /*  in - pointer to list of indices */
-    bool            plus1,          /*  in - if list is +1 coefficients */
-    uint8_t        *out);           /* out - address of output polynomial */
-
-
-/* ntru_packed_trits_2_indices
- *
- * Unpacks an array of N trits and creates a list of array indices 
- * corresponding to trits = +1, and list of array indices corresponding to
- * trits = -1.
- */
-
-extern void
-ntru_packed_trits_2_indices(
-    uint8_t const *in,              /*  in - pointer to packed-trit octets */
-    uint16_t       num_trits,       /*  in - no. of packed trits */
-    uint16_t      *indices_plus1,   /* out - address for indices of +1 trits */
-    uint16_t      *indices_minus1); /* out - address for indices of -1 trits */
-
-
-/* ntru_indices_2_packed_trits
- *
- * Takes a list of array indices corresponding to elements whose values
- * are +1 or -1, and packs the N-element array of trits described by these
- * lists into octets, 5 trits per octet.
- */
-
-extern void
-ntru_indices_2_packed_trits(
-    uint16_t const *indices,        /*  in - pointer to indices */
-    uint16_t        num_plus1,      /*  in - no. of indices for +1 trits */
-    uint16_t        num_minus1,     /*  in - no. of indices for -1 trits */
-    uint16_t        num_trits,      /*  in - N, no. of trits in array */
-    uint8_t        *buf,            /*  in - temp buf, N octets */
-    uint8_t        *out);           /* out - address for packed octets */
-
-
-/* ntru_elements_2_octets
- *
- * Packs an array of n-bit elements into an array of
- * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
- */
-
-extern void
-ntru_elements_2_octets(
-    uint16_t        in_len,         /*  in - no. of elements to be packed */
-    uint16_t const *in,             /*  in - ptr to elements to be packed */
-    uint8_t         n_bits,         /*  in - no. of bits in input element */
-    uint8_t        *out);           /* out - addr for output octets */
-
-
-/* ntru_octets_2_elements
- *
- * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
- * n-bit elements, 8 < n < 16.  Any extra bits are discarded.
- */
-
-extern void
-ntru_octets_2_elements(
-    uint16_t        in_len,         /*  in - no. of octets to be unpacked */
-    uint8_t const  *in,             /*  in - ptr to octets to be unpacked */
-    uint8_t         n_bits,         /*  in - no. of bits in output element */
-    uint16_t       *out);           /* out - addr for output elements */
-
-
-#endif /* NTRU_CRYPTO_NTRU_CONVERT_H */
-
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
deleted file mode 100644
index dba81915a..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
+++ /dev/null
@@ -1,1034 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_encrypt.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_encrypt.c
- *
- * Contents: Routines implementing NTRUEncrypt encryption and decryption and
- *           key generation.
- *
- *****************************************************************************/
-
-
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include "ntru_crypto.h"
-#include "ntru_crypto_ntru_encrypt_param_sets.h"
-#include "ntru_crypto_ntru_encrypt_key.h"
-#include "ntru_crypto_ntru_convert.h"
-#include "ntru_crypto_ntru_poly.h"
-#
-#include "ntru_trits.h"
-#include "ntru_poly.h"
-
-/* ntru_crypto_ntru_encrypt
- *
- * Implements NTRU encryption (SVES) for the parameter set specified in
- * the public key blob.
- *
- * Before invoking this function, a DRBG must be instantiated using
- * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
- * instantiation the requested security strength must be at least as large
- * as the security strength of the NTRU parameter set being used.
- * Failure to instantiate the DRBG with the proper security strength will
- * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH.
- *
- * The required minimum size of the output ciphertext buffer (ct) may be
- * queried by invoking this function with ct = NULL.  In this case, no
- * encryption is performed, NTRU_OK is returned, and the required minimum
- * size for ct is returned in ct_len.
- *
- * When ct != NULL, at invocation *ct_len must be the size of the ct buffer.
- * Upon return it is the actual size of the ciphertext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is
-  * zero, or if pt_len exceeds the maximum plaintext length for the parameter set.
- * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid
- *  (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- */
-
-uint32_t
-ntru_crypto_ntru_encrypt(
-    ntru_drbg_t    *drbg,            /*     in - handle of DRBG */
-    uint16_t        pubkey_blob_len, /*     in - no. of octets in public key
-                                                 blob */
-    uint8_t const  *pubkey_blob,     /*     in - pointer to public key */
-    uint16_t        pt_len,          /*     in - no. of octets in plaintext */
-    uint8_t const  *pt,              /*     in - pointer to plaintext */
-    uint16_t       *ct_len,          /* in/out - no. of octets in ct, addr for
-                                                 no. of octets in ciphertext */
-    uint8_t        *ct)              /*    out - address for ciphertext */
-{
-    NTRU_ENCRYPT_PARAM_SET *params = NULL;
-    uint8_t const          *pubkey_packed = NULL;
-    uint8_t                 pubkey_pack_type = 0x00;
-    uint16_t                packed_ct_len;
-    size_t                  scratch_buf_len;
-    uint32_t                dr;
-    uint32_t                dr1 = 0;
-    uint32_t                dr2 = 0;
-    uint32_t                dr3 = 0;
-    uint16_t                ring_mult_tmp_len;
-    int16_t                 m1 = 0;
-    uint16_t               *scratch_buf = NULL;
-    uint16_t               *ringel_buf = NULL;
-    uint8_t                *b_buf = NULL;
-    uint8_t                *tmp_buf = NULL;
-    bool                    msg_rep_good = FALSE;
-    hash_algorithm_t        hash_algid;
-    uint16_t                mprime_len = 0;
-    uint16_t                mod_q_mask;
-    uint32_t                result = NTRU_OK;
-	ntru_trits_t           *mask;
-	uint8_t                *mask_trits;
-	chunk_t                 seed;
-	ntru_poly_t				*r_poly;
-
-    /* check for bad parameters */
-
-	if (!pubkey_blob || !pt || !ct_len)
-	{
-		return NTRU_BAD_PARAMETER;
-	}
-	if ((pubkey_blob_len == 0) || (pt_len == 0))
-	{
-		return NTRU_BAD_LENGTH;
-	}
-
-    /* get a pointer to the parameter-set parameters, the packing type for
-     * the public key, and a pointer to the packed public key
-     */
-
-    if (!ntru_crypto_ntru_encrypt_key_parse(TRUE /* pubkey */, pubkey_blob_len,
-                                            pubkey_blob, &pubkey_pack_type,
-                                            NULL, &params, &pubkey_packed,
-                                            NULL))
-	{
-		return NTRU_BAD_PUBLIC_KEY;
-	}
-
-    /* return the ciphertext size if requested */
-
-    packed_ct_len = (params->N * params->q_bits + 7) >> 3;
-    if (!ct)
-	{
-        *ct_len = packed_ct_len;
-		return NTRU_OK;
-    }
-
-    /* check the ciphertext buffer size */
-
-    if (*ct_len < packed_ct_len)
-	{
-		return NTRU_BUFFER_TOO_SMALL;
-    }
-
-    /* check the plaintext length */
-
-    if (pt_len > params->m_len_max)
-	{
-		return NTRU_BAD_LENGTH;
-    }
-
-    /* allocate memory for all operations */
-
-    if (params->is_product_form)
-	{
-        ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
-        dr1 =  params->dF_r & 0xff;
-        dr2 = (params->dF_r >>  8) & 0xff;
-        dr3 = (params->dF_r >> 16) & 0xff;
-        dr = dr1 + dr2 + dr3;
-    }
-	else
-	{
-        ring_mult_tmp_len = params->N;      /* N 16-bit word buffer */
-        dr = params->dF_r;
-    }
-    scratch_buf_len = (ring_mult_tmp_len << 1) +
-                                            /* X-byte temp buf for ring mult and
-                                                other intermediate results */
-                      (params->N << 1) +    /* 2N-byte buffer for ring elements
-                                                and overflow from temp buffer */
-                      (dr << 2) +           /* buffer for r indices */
-                      params->sec_strength_len;
-                                            /* buffer for b */
-    scratch_buf = malloc(scratch_buf_len);
-    if (!scratch_buf)
-	{
-		return NTRU_OUT_OF_MEMORY;
-    }
-    ringel_buf = scratch_buf + ring_mult_tmp_len;
-    b_buf = (uint8_t *)(ringel_buf + params->N);
-    tmp_buf = (uint8_t *)scratch_buf;
-
-	/* set hash algorithm based on security strength */
-	 hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
-
-    /* set constants */
-	mod_q_mask = params->q - 1;
-
-    /* loop until a message representative with proper weight is achieved */
-
-    do {
-        uint8_t *ptr = tmp_buf;
-
-        /* get b */
-        if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
-                                 params->sec_strength_len, b_buf))
-		{
-			result = NTRU_OK;
-		}
-		else
-		{
-			result = NTRU_FAIL;
-		}
-
-		if (result == NTRU_OK)
-		{
-
-            /* form sData (OID || m || b || hTrunc) */
-            memcpy(ptr, params->OID, 3);
-            ptr += 3;
-            memcpy(ptr, pt, pt_len);
-            ptr += pt_len;
-            memcpy(ptr, b_buf, params->sec_strength_len);
-            ptr += params->sec_strength_len;
-            memcpy(ptr, pubkey_packed, params->sec_strength_len);
-            ptr += params->sec_strength_len;
-
-			DBG2(DBG_LIB, "generate polynomial r");
-
-			seed = chunk_create(tmp_buf, ptr - tmp_buf);
-			r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
-												params->N, params->q,
-												params->dF_r, params->dF_r,
-												params->is_product_form);
-			if (!r_poly)
-			{
-			   result = NTRU_MGF1_FAIL;
-			}
-        }
-
-		if (result == NTRU_OK)
-		{
-			uint16_t pubkey_packed_len;
-
-			/* unpack the public key */
-			assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
-			pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
-			ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
-								   params->q_bits, ringel_buf);
-
-			/* form R = h * r */
-			r_poly->ring_mult(r_poly, ringel_buf, ringel_buf);
-			r_poly->destroy(r_poly);
-
-			/* form R mod 4 */
-			ntru_coeffs_mod4_2_octets(params->N, ringel_buf, tmp_buf);
-
-			/* form mask */
-			seed = chunk_create(tmp_buf, (params->N + 3)/4);
-			mask = ntru_trits_create(params->N, hash_algid, seed);
-			if (!mask)
-			{
-				result = NTRU_MGF1_FAIL;
-			}
-		}
-
-		if (result == NTRU_OK)
-		{
-            uint8_t  *Mtrin_buf = tmp_buf + params->N;
-            uint8_t  *M_buf = Mtrin_buf + params->N -
-                              (params->sec_strength_len + params->m_len_len +
-                               params->m_len_max + 2);
-            uint16_t  i;
-
-            /* form the padded message M */
-            ptr = M_buf;
-            memcpy(ptr, b_buf, params->sec_strength_len);
-            ptr += params->sec_strength_len;
-            if (params->m_len_len == 2)
-                *ptr++ = (uint8_t)((pt_len >> 8) & 0xff);
-            *ptr++ = (uint8_t)(pt_len & 0xff);
-            memcpy(ptr, pt, pt_len);
-            ptr += pt_len;
-
-            /* add an extra zero byte in case without it the bit string
-             * is not a multiple of 3 bits and therefore might not be
-             * able to produce enough trits
-             */
-
-            memset(ptr, 0, params->m_len_max - pt_len + 2);
-
-            /* convert M to trits (Mbin to Mtrin) */
-            mprime_len = params->N;
-			if (params->is_product_form)
-			{
-                --mprime_len;
-			}
-
-            ntru_bits_2_trits(M_buf, mprime_len, Mtrin_buf);
-			mask_trits = mask->get_trits(mask);
-
-			/* form the msg representative m' by adding Mtrin to mask, mod p */
-			if (params->is_product_form)
-			{
-				for (i = 0; i < mprime_len; i++)
-				{
-					tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
-					if (tmp_buf[i] >= 3)
-					{
-						tmp_buf[i] -= 3;
-					}
-					if (tmp_buf[i] == 1)
-					{
-						++m1;
-					}
-					else if (tmp_buf[i] == 2)
-					{
-						--m1;
-					}
-				}
-			}
-			else
-			{
-				for (i = 0; i < mprime_len; i++)
-				{
-					tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
-					if (tmp_buf[i] >= 3)
-					{
-						tmp_buf[i] -= 3;
-					}
-				}
-			}
-			mask->destroy(mask);
-
-            /* check that message representative meets minimum weight
-             * requirements
-             */
-
-            if (params->is_product_form)
-                msg_rep_good = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : 
-                                        (bool)( m1 <= params->min_msg_rep_wt);
-            else
-                msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf,
-                                                       params->min_msg_rep_wt);
-            msg_rep_good = TRUE;
-        }
-    } while ((result == NTRU_OK) && !msg_rep_good);
-
-	if (result == NTRU_OK)
-	{
-        uint16_t i;
-
-        /* form ciphertext e by adding m' to R mod q */
-
-        for (i = 0; i < mprime_len; i++) {
-            if (tmp_buf[i] == 1)
-                ringel_buf[i] = (ringel_buf[i] + 1) & mod_q_mask;
-            else if (tmp_buf[i] == 2)
-                ringel_buf[i] = (ringel_buf[i] - 1) & mod_q_mask;
-        }
-        if (params->is_product_form)
-            ringel_buf[i] = (ringel_buf[i] - m1) & mod_q_mask;
-
-        /* pack ciphertext */
-        ntru_elements_2_octets(params->N, ringel_buf, params->q_bits, ct);
-        *ct_len = packed_ct_len;
-    }
-
-    /* cleanup */
-    memset(scratch_buf, 0, scratch_buf_len);
-    free(scratch_buf);
-    
-	return result;
-}
-
-
-/* ntru_crypto_ntru_decrypt
- *
- * Implements NTRU decryption (SVES) for the parameter set specified in
- * the private key blob.
- *
- * The maximum size of the output plaintext may be queried by invoking
- * this function with pt = NULL.  In this case, no decryption is performed,
- * NTRU_OK is returned, and the maximum size the plaintext could be is
- * returned in pt_len.
- * Note that until the decryption is performed successfully, the actual size
- * of the resulting plaintext cannot be known.
- *
- * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
- * Upon return it is the actual size of the plaintext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
- *  ct_len is invalid for the parameter set.
- * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
- *  (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if a decryption error occurs.
- */
-
-uint32_t
-ntru_crypto_ntru_decrypt(
-    uint16_t       privkey_blob_len, /*     in - no. of octets in private key
-                                                 blob */
-    uint8_t const *privkey_blob,     /*     in - pointer to private key */
-    uint16_t       ct_len,           /*     in - no. of octets in ciphertext */
-    uint8_t const *ct,               /*     in - pointer to ciphertext */
-    uint16_t      *pt_len,           /* in/out - no. of octets in pt, addr for
-                                                 no. of octets in plaintext */
-    uint8_t       *pt)               /*    out - address for plaintext */
-{
-    NTRU_ENCRYPT_PARAM_SET *params = NULL;
-    uint8_t const          *privkey_packed = NULL;
-    uint8_t const          *pubkey_packed = NULL;
-    uint8_t                 privkey_pack_type = 0x00;
-    uint8_t                 pubkey_pack_type = 0x00;
-    size_t                  scratch_buf_len;
-    uint32_t                dF_r;
-    uint32_t                dF_r1 = 0;
-    uint32_t                dF_r2 = 0;
-    uint32_t                dF_r3 = 0;
-    uint16_t                ring_mult_tmp_len;
-    int16_t                 m1 = 0;
-    uint16_t               *scratch_buf = NULL;
-    uint16_t               *ringel_buf1 = NULL;
-    uint16_t               *ringel_buf2 = NULL;
-    uint16_t               *i_buf = NULL;
-    uint8_t                *m_buf = NULL;
-    uint8_t                *tmp_buf = NULL;
-    uint8_t                *Mtrin_buf = NULL;
-    uint8_t                *M_buf = NULL;
-    uint8_t                *ptr = NULL;
-    hash_algorithm_t        hash_algid;
-    uint16_t                cmprime_len;
-    uint16_t                mod_q_mask;
-    uint16_t                q_mod_p;
-    uint16_t                cm_len = 0;
-    uint16_t                num_zeros;
-    uint16_t                i;
-    bool                    decryption_ok = TRUE;
-    uint32_t                result = NTRU_OK;
-	ntru_trits_t           *mask;
-	uint8_t                *mask_trits;
-	chunk_t                 seed;
-	ntru_poly_t			   *F_poly, *r_poly;
-
-	/* check for bad parameters */
-	if (!privkey_blob || !ct || !pt_len)
-	{
-		return NTRU_BAD_PARAMETER;
-	}
-	if ((privkey_blob_len == 0) || (ct_len == 0))
-	{
-		return NTRU_BAD_LENGTH;
-	}
-
-    /* get a pointer to the parameter-set parameters, the packing types for
-     * the public and private keys, and pointers to the packed public and
-     * private keys
-     */
-
-	if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */,
-                                            privkey_blob_len,
-                                            privkey_blob, &pubkey_pack_type,
-                                            &privkey_pack_type, &params,
-                                            &pubkey_packed, &privkey_packed))
-	{
-		return NTRU_BAD_PRIVATE_KEY;
-	}
-
-    /* return the max plaintext size if requested */
-
-	if (!pt)
-	{
-        *pt_len = params->m_len_max;
-		return NTRU_OK;
-    }
-
-    /* cannot check the plaintext buffer size until after the plaintext
-     * is derived, if we allow plaintext buffers only as large as the
-     * actual plaintext
-     */
-
-    /* check the ciphertext length */
-
-	if (ct_len != (params->N * params->q_bits + 7) >> 3)
-	{
-		return NTRU_BAD_LENGTH;
-	}
-
-    /* allocate memory for all operations */
-
-	if (params->is_product_form)
-	{
-        ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
-        dF_r1 =  params->dF_r & 0xff;
-        dF_r2 = (params->dF_r >>  8) & 0xff;
-        dF_r3 = (params->dF_r >> 16) & 0xff;
-        dF_r = dF_r1 + dF_r2 + dF_r3;
-    } else {
-        ring_mult_tmp_len = params->N;      /* N 16-bit word buffer */
-        dF_r = params->dF_r;
-    }
-    scratch_buf_len = (ring_mult_tmp_len << 1) +
-                                            /* X-byte temp buf for ring mult and
-                                                other intermediate results */
-                      (params->N << 2) +    /* 2 2N-byte bufs for ring elements
-                                                and overflow from temp buffer */
-                      (dF_r << 2) +         /* buffer for F, r indices */
-                      params->m_len_max;    /* buffer for plaintext */
-    scratch_buf = malloc(scratch_buf_len);
-	if (!scratch_buf)
-	{
-		return NTRU_OUT_OF_MEMORY;
-    }
-    ringel_buf1 = scratch_buf + ring_mult_tmp_len;
-    ringel_buf2 = ringel_buf1 + params->N;
-    i_buf = ringel_buf2 + params->N;
-    m_buf = (uint8_t *)(i_buf + (dF_r << 1));
-    tmp_buf = (uint8_t *)scratch_buf;
-    Mtrin_buf = (uint8_t *)ringel_buf1;
-    M_buf = Mtrin_buf + params->N;
-
-	/* set hash algorithm based on security strength */
-	hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
-
-    /* set constants */
-    mod_q_mask = params->q - 1;
-    q_mod_p = params->q % 3;
-
-    /* unpack the ciphertext */
-    ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2);
-
-    /* unpack the private key */
-    if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS)
-	{
-        ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf,
-                                    i_buf + dF_r);
-
-    }
-	else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES)
-	{
-        ntru_octets_2_elements(
-                (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3,
-                privkey_packed, params->N_bits, i_buf);
-
-    }
-	else
-	{
-        assert(FALSE);
-    }
-
-    /* form cm':
-     *  F * e
-     *  A = e * (1 + pF) mod q = e + pFe mod q
-     *  a = A in the range [-q/2, q/2)
-     *  cm' = a mod p
-     */
-	F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q,
-										params->dF_r, params->dF_r,
-									    params->is_product_form);
-	F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1);
-	F_poly->destroy(F_poly);
-
-    cmprime_len = params->N;
-    if (params->is_product_form)
-	{
-         --cmprime_len;
-		for (i = 0; i < cmprime_len; i++)
-		{
-			ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
-			if (ringel_buf1[i] >= (params->q >> 1))
-			{
-				ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
-			}
-			Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
-			if (Mtrin_buf[i] == 1)
-			{
-				++m1;
-			}
-			else if (Mtrin_buf[i] == 2)
-			{
-				--m1;
-			}
-		}
-	}
-	else
-	{
-		for (i = 0; i < cmprime_len; i++)
-		{
-			ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
-			if (ringel_buf1[i] >= (params->q >> 1))
-			{
-				ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
-			}
-			Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
-		}
-	}
-
-    /* check that the candidate message representative meets minimum weight
-     * requirements
-     */
-
-    if (params->is_product_form)
-	{
-	    decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : 
-	                             (bool)( m1 <= params->min_msg_rep_wt);
-	}
-	else
-	{
-        decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf,
-												   params->min_msg_rep_wt);
-	}
-
-	/* form cR = e - cm' mod q */
-	for (i = 0; i < cmprime_len; i++)
-	{
-		if (Mtrin_buf[i] == 1)
-		{
-			ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask;
-		}
-		else if (Mtrin_buf[i] == 2)
-		{
-			ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask;
-		}
-	}
-	if (params->is_product_form)
-	{
-		ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask;
-	}
-
-	/* form cR mod 4 */
-	ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf);
-
-	/* form mask */
-	seed = chunk_create(tmp_buf, (params->N + 3)/4);
-	mask = ntru_trits_create(params->N, hash_algid, seed);
-	if (!mask)
-	{
-		result = NTRU_MGF1_FAIL;
-	}
-	else
-	{
-		mask_trits = mask->get_trits(mask);
-
-		/* form cMtrin by subtracting mask from cm', mod p */
-		for (i = 0; i < cmprime_len; i++)
-		{
-			Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i];
-			if (Mtrin_buf[i] >= 3)
-			{
-				Mtrin_buf[i] += 3;
-			}
-		}
-		mask->destroy(mask);
-
-        if (params->is_product_form)
-
-            /* set the last trit to zero since that's what it was, and
-             * because it can't be calculated from (cm' - mask) since
-             * we don't have the correct value for the last cm' trit
-             */
-
-            Mtrin_buf[i] = 0;
-
-        /* convert cMtrin to cM (Mtrin to Mbin) */
-
-        if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf))
-            decryption_ok = FALSE;
-
-        /* validate the padded message cM and copy cm to m_buf */
-
-        ptr = M_buf + params->sec_strength_len;
-        if (params->m_len_len == 2)
-            cm_len = (uint16_t)(*ptr++) << 16;
-        cm_len |= (uint16_t)(*ptr++);
-        if (cm_len > params->m_len_max) {
-            cm_len = params->m_len_max;
-            decryption_ok = FALSE;
-        }
-        memcpy(m_buf, ptr, cm_len);
-        ptr += cm_len;
-        num_zeros = params->m_len_max - cm_len + 1;
-        for (i = 0; i < num_zeros; i++) {
-            if (ptr[i] != 0)
-                decryption_ok = FALSE;
-        }
-
-        /* form sData (OID || m || b || hTrunc) */
-
-        ptr = tmp_buf;
-        memcpy(ptr, params->OID, 3);
-        ptr += 3;
-        memcpy(ptr, m_buf, cm_len);
-        ptr += cm_len;
-        memcpy(ptr, M_buf, params->sec_strength_len);
-        ptr += params->sec_strength_len;
-        memcpy(ptr, pubkey_packed, params->sec_strength_len);
-        ptr += params->sec_strength_len;
-
-        /* generate cr */
-		DBG2(DBG_LIB, "generate polynomial r");
-
-		seed = chunk_create(tmp_buf, ptr - tmp_buf);
-		r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
-											params->N, params->q,
-											params->dF_r, params->dF_r,
-											params->is_product_form);
-		if (!r_poly)
-		{
-		   result = NTRU_MGF1_FAIL;
-		}
-    }
-
-	if (result == NTRU_OK)
-	{
-		/* unpack the public key */
-		{
-            uint16_t pubkey_packed_len;
-
-			assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
-			pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
-			ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
-								   params->q_bits, ringel_buf1);
-		}
-
-		/* form cR' = h * cr */
-		r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1);
-		r_poly->destroy(r_poly);
-
-		/* compare cR' to cR */
-		for (i = 0; i < params->N; i++)
-		{
-			if (ringel_buf1[i] != ringel_buf2[i])
-			{
-                decryption_ok = FALSE;
-			}
-		}
-
-        /* output plaintext and plaintext length */
-		if (decryption_ok)
-		{
-			if (*pt_len < cm_len)
-			{
-				return NTRU_BUFFER_TOO_SMALL;
-			}
-			memcpy(pt, m_buf, cm_len);
-			*pt_len = cm_len;
-        }
-    }
-
-	/* cleanup */
-	memset(scratch_buf, 0, scratch_buf_len);
-	free(scratch_buf);
-    
-	if (!decryption_ok)
-	{
-		return NTRU_FAIL;
-	}
-
-	return result;
-}
-
-
-/* ntru_crypto_ntru_encrypt_keygen
- *
- * Implements key generation for NTRUEncrypt for the parameter set specified.
- *
- * The required minimum size of the output public-key buffer (pubkey_blob)
- * may be queried by invoking this function with pubkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
- *
- * The required minimum size of the output private-key buffer (privkey_blob)
- * may be queried by invoking this function with privkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for privkey_blob is returned in privkey_blob_len.
- *
- * The required minimum sizes of both pubkey_blob and privkey_blob may be
- * queried as described above, in a single invocation of this function.
- *
- * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
- * *pubkey_blob_len must be the size of the pubkey_blob buffer and
- * *privkey_blob_len must be the size of the privkey_blob buffer.
- * Upon return, *pubkey_blob_len is the actual size of the public-key blob
- * and *privkey_blob_len is the actual size of the private-key blob.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or
- *  privkey_blob) is NULL.
- * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
- * Returns NTRU_BAD_LENGTH if a length argument is invalid.
- * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
- *  privkey_blob buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
- *  (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
- *  Should this occur, this function should simply be invoked again.
- */
-
-uint32_t
-ntru_crypto_ntru_encrypt_keygen(
-    ntru_drbg_t               *drbg,             /*     in - handle of DRBG */
-    NTRU_ENCRYPT_PARAM_SET_ID  param_set_id,     /*     in - parameter set ID */
-    uint16_t                  *pubkey_blob_len,  /* in/out - no. of octets in
-                                                             pubkey_blob, addr
-                                                             for no. of octets
-                                                             in pubkey_blob */
-    uint8_t                   *pubkey_blob,      /*    out - address for
-                                                             public key blob */
-    uint16_t                  *privkey_blob_len, /* in/out - no. of octets in
-                                                             privkey_blob, addr
-                                                             for no. of octets
-                                                             in privkey_blob */
-    uint8_t                   *privkey_blob)     /*    out - address for
-                                                             private key blob */
-{
-    NTRU_ENCRYPT_PARAM_SET *params = NULL;
-    uint16_t                public_key_blob_len;
-    uint16_t                private_key_blob_len;
-    uint8_t                 pubkey_pack_type;
-    uint8_t                 privkey_pack_type;
-    size_t                  scratch_buf_len;
-    uint32_t                dF;
-    uint32_t                dF1 = 0;
-    uint32_t                dF2 = 0;
-    uint32_t                dF3 = 0;
-    uint16_t               *scratch_buf = NULL;
-    uint16_t               *ringel_buf1 = NULL;
-    uint16_t               *ringel_buf2 = NULL;
-    uint8_t                *tmp_buf = NULL;
-    uint16_t                mod_q_mask;
-    hash_algorithm_t        hash_algid;
-    uint16_t                seed_len;
-	chunk_t					seed;
-    uint32_t                result = NTRU_OK;
-	ntru_poly_t			   *F_poly = NULL;
-	ntru_poly_t            *g_poly = NULL;
-	uint16_t			   *F_indices;
-
-    /* get a pointer to the parameter-set parameters */
-
-    if ((params = ntru_encrypt_get_params_with_id(param_set_id)) == NULL)
-	{
-		return NTRU_INVALID_PARAMETER_SET;
-	}
-
-    /* check for bad parameters */
-
-    if (!pubkey_blob_len || !privkey_blob_len)
-	{
-		return NTRU_BAD_PARAMETER;
-	}
-
-    /* get public and private key packing types and blob lengths */
-
-    ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type,
-                                                 &public_key_blob_len,
-                                                 &privkey_pack_type,
-                                                 &private_key_blob_len);
-
-    /* return the pubkey_blob size and/or privkey_blob size if requested */
-
-    if (!pubkey_blob || !privkey_blob)
-	{
-        if (!pubkey_blob)
-            *pubkey_blob_len = public_key_blob_len;
-        if (!privkey_blob)
-            *privkey_blob_len = private_key_blob_len;
-		return NTRU_OK;
-    }
-
-    /* check size of output buffers */
-
-    if ((*pubkey_blob_len < public_key_blob_len) ||
-            (*privkey_blob_len < private_key_blob_len))
-	{
-		return NTRU_BUFFER_TOO_SMALL;
-	}
-
-    /* allocate memory for all operations */
-    if (params->is_product_form) {
-        dF1 =  params->dF_r & 0xff;
-        dF2 = (params->dF_r >> 8) & 0xff;
-        dF3 = (params->dF_r >> 16) & 0xff;
-        dF = dF1 + dF2 + dF3;
-    } else {
-        dF = params->dF_r;
-    }
-
-    scratch_buf_len = (params->N * 8) +     /* 4N-byte temp buffer for ring inv
-                                                and other intermediate results,
-                                               2N-byte buffer for f, g indices
-                                                and overflow from temp buffer,
-                                               2N-byte buffer for f^-1 */
-                      (dF << 2);            /* buffer for F indices */
-    scratch_buf = malloc(scratch_buf_len);
-	if (!scratch_buf)
-	{
-		return NTRU_OUT_OF_MEMORY;
-    }
-    ringel_buf1 = scratch_buf + (params->N << 1);
-    ringel_buf2 = ringel_buf1 + params->N;
-    tmp_buf = (uint8_t *)scratch_buf;
-
-	/* set hash algorithm and seed length based on security strength */
-    if (params->sec_strength_len <= 20)
-	{
-		hash_algid = HASH_SHA1;
-	}
-	else
-	{
-		hash_algid = HASH_SHA256;
-	}
-	seed_len = params->sec_strength_len + 8;
-
-    /* set constants */
-
-    mod_q_mask = params->q - 1;
-
-    /* get random bytes for seed for generating trinary F
-     * as a list of indices
-     */
-
-    if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
-							 seed_len, tmp_buf))
-	{
-		result = NTRU_OK;
-	}
-	else
-	{
-		result = NTRU_DRBG_FAIL;
-	}
-
-	if (result == NTRU_OK)
-	{
-		DBG2(DBG_LIB, "generate polynomial F");
-
-		seed = chunk_create(tmp_buf, seed_len);
-		F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
-											params->N, params->q,
-											params->dF_r, params->dF_r,
-											params->is_product_form);
-		if (!F_poly)
-		{
-		   result = NTRU_MGF1_FAIL;
-		}
-    }
-
-	if (result == NTRU_OK)
-	{
-		int i;
-
-		F_poly->get_array(F_poly, ringel_buf1);
-
-		/* form f = 1 + pF */
-		for (i = 0; i < params->N; i++)
-		{
-			ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask;
-		}
-		ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask;
-
-		/* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
-		if (!ntru_ring_inv(ringel_buf1, params->N, params->q,
-						   scratch_buf, ringel_buf2))
-		{
-			result = NTRU_FAIL;
-		}
-	}
-
-	if (result == NTRU_OK)
-	{
-
-        /* get random bytes for seed for generating trinary polynomial g
-         * as a list of indices
-         */
-        if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
-								  seed_len, tmp_buf))
-		{
-			result = NTRU_DRBG_FAIL;
-		}
-    }
-
-	if (result == NTRU_OK)
-	{
-		DBG2(DBG_LIB, "generate polynomial g");
-
-		seed = chunk_create(tmp_buf, seed_len);
-		g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
-											params->N, params->q,
-											params->dg + 1, params->dg, FALSE);
-		if (!g_poly)
-		{
-		   result = NTRU_MGF1_FAIL;
-		}
-   }
-
-	if (result == NTRU_OK)
-	{
-		uint16_t i;
-
-		/* compute h = p * (f^-1 * g) mod q */
-		g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2);
-		g_poly->destroy(g_poly);
-
-		for (i = 0; i < params->N; i++)
-		{
-			ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask;
-		}
-
-		/* create public key blob */
-		ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2,
-													    pubkey_pack_type,
-														pubkey_blob);
-		*pubkey_blob_len = public_key_blob_len;
-
-		/* create private key blob */
-		F_indices = F_poly->get_indices(F_poly);
-		ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2,
-														 F_indices,
-														 privkey_pack_type,
-														 tmp_buf, privkey_blob);
-		*privkey_blob_len = private_key_blob_len;
-    }
-
-	/* cleanup */
-	DESTROY_IF(F_poly);
-	memset(scratch_buf, 0, scratch_buf_len);
-	free(scratch_buf);
-  
-	return result;
-}
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
deleted file mode 100644
index 90baaadf3..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
+++ /dev/null
@@ -1,360 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_encrypt_key.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_encrypt_key.c
- *
- * Contents: Routines for exporting and importing public and private keys
- *           for NTRUEncrypt.
- *
- *****************************************************************************/
-
-
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include "ntru_crypto_ntru_encrypt_key.h"
-
-
-/* ntru_crypto_ntru_encrypt_key_parse
- *
- * Parses an NTRUEncrypt key blob.
- * If the blob is not corrupt, returns packing types for public and private
- * keys, a pointer to the parameter set, a pointer to the public key, and
- * a pointer to the private key if it exists.
- *
- * Returns TRUE if successful.
- * Returns FALSE if the blob is invalid.
- */
-
-bool
-ntru_crypto_ntru_encrypt_key_parse(
-    bool                     pubkey_parse,      /*  in - if parsing pubkey
-                                                         blob */
-    uint16_t                 key_blob_len,      /*  in - no. octets in key
-                                                         blob */
-    uint8_t const           *key_blob,          /*  in - pointer to key blob */
-    uint8_t                 *pubkey_pack_type,  /* out - addr for pubkey
-                                                         packing type */
-    uint8_t                 *privkey_pack_type, /* out - addr for privkey
-                                                         packing type */
-    NTRU_ENCRYPT_PARAM_SET **params,            /* out - addr for ptr to
-                                                         parameter set */
-    uint8_t const          **pubkey,            /* out - addr for ptr to
-                                                         packed pubkey */
-    uint8_t const          **privkey)           /* out - addr for ptr to
-                                                         packed privkey */
-{
-    uint8_t tag;
-
-    assert(key_blob_len);
-    assert(key_blob);
-    assert(pubkey_pack_type);
-    assert(params);
-    assert(pubkey);
-
-    /* parse key blob based on tag */
-
-    tag = key_blob[0];
-    switch (tag) {
-        case NTRU_ENCRYPT_PUBKEY_TAG:
-            if (!pubkey_parse)
-                return FALSE;
-            break;
-        case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
-            assert(privkey_pack_type);
-            assert(privkey);
-            if (pubkey_parse)
-                return FALSE;
-            break;
-        default:
-            return FALSE;
-    }
-
-    switch (tag) {
-        case NTRU_ENCRYPT_PUBKEY_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
-
-            /* Version 0:
-             *  byte  0:   tag
-             *  byte  1:   no. of octets in OID
-             *  bytes 2-4: OID
-             *  bytes 5- : packed pubkey
-             *             [packed privkey]
-             */
-
-        {
-            NTRU_ENCRYPT_PARAM_SET *p = NULL;
-            uint16_t pubkey_packed_len;
-
-            /* check OID length and minimum blob length for tag and OID */
-
-            if ((key_blob_len < 5) || (key_blob[1] != 3))
-                return FALSE;
-
-            /* get a pointer to the parameter set corresponding to the OID */
-
-            if ((p = ntru_encrypt_get_params_with_OID(key_blob + 2)) == NULL)
-                return FALSE;
-
-            /* check blob length and assign pointers to blob fields */
-
-            pubkey_packed_len = (p->N * p->q_bits + 7) / 8;
-            if (pubkey_parse) { /* public-key parsing */
-                if (key_blob_len != 5 + pubkey_packed_len)
-                    return FALSE;
-
-                *pubkey = key_blob + 5;
-
-            } else { /* private-key parsing */
-                uint16_t privkey_packed_len;
-                uint16_t privkey_packed_trits_len = (p->N + 4) / 5;
-                uint16_t privkey_packed_indices_len;
-                uint16_t dF;
-
-                /* check packing type for product-form private keys */
-
-                if (p->is_product_form &&
-                        (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG))
-                    return FALSE;
-
-                /* set packed-key length for packed indices */
-
-                if (p->is_product_form)
-                    dF = (uint16_t)( (p->dF_r & 0xff) +            /* df1 */
-                                    ((p->dF_r >>  8) & 0xff) +     /* df2 */
-                                    ((p->dF_r >> 16) & 0xff));     /* df3 */
-                else
-                    dF = (uint16_t)p->dF_r;
-                privkey_packed_indices_len = ((dF << 1) * p->N_bits + 7) >> 3;
-
-                /* set private-key packing type if defaulted */
-
-                if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) {
-                    if (p->is_product_form ||
-                            (privkey_packed_indices_len <=
-                             privkey_packed_trits_len))
-                        tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG;
-                    else
-                        tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG;
-                }
-
-                if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)
-                    privkey_packed_len = privkey_packed_trits_len;
-                else
-                    privkey_packed_len = privkey_packed_indices_len;
-
-                if (key_blob_len != 5 + pubkey_packed_len + privkey_packed_len)
-                    return FALSE;
-
-                *pubkey = key_blob + 5;
-                *privkey = *pubkey + pubkey_packed_len;
-                *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ?
-                    NTRU_ENCRYPT_KEY_PACKED_TRITS :
-                    NTRU_ENCRYPT_KEY_PACKED_INDICES;
-            }
-
-            /* return parameter set pointer */
-
-            *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
-            *params = p;
-        }
-        default:
-            break;  /* can't get here */
-    }
-    return TRUE;
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_get_blob_params
- *
- * Returns public and private key packing types and blob lengths given
- * a packing format.  For now, only a default packing format exists.
- *
- * Only public-key params may be returned by setting privkey_pack_type
- * and privkey_blob_len to NULL.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_get_blob_params(
-    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint8_t                      *pubkey_pack_type,   /* out - addr for pubkey
-                                                               packing type */
-    uint16_t                     *pubkey_blob_len,    /* out - addr for no. of
-                                                               bytes in
-                                                               pubkey blob */
-    uint8_t                      *privkey_pack_type,  /* out - addr for privkey
-                                                               packing type */
-    uint16_t                     *privkey_blob_len)   /* out - addr for no. of
-                                                               bytes in
-                                                               privkey blob */
-{
-    uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
-
-    assert(params);
-    assert(pubkey_pack_type);
-    assert(pubkey_blob_len);
-
-    *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
-    *pubkey_blob_len = 5 + pubkey_packed_len;
-
-    if (privkey_pack_type && privkey_blob_len) {
-        uint16_t privkey_packed_trits_len = (params->N + 4) / 5;
-        uint16_t privkey_packed_indices_len;
-        uint16_t dF;
-
-        if (params->is_product_form)
-            dF = (uint16_t)( (params->dF_r & 0xff) +            /* df1 */
-                            ((params->dF_r >>  8) & 0xff) +     /* df2 */
-                            ((params->dF_r >> 16) & 0xff));     /* df3 */
-        else
-            dF = (uint16_t)params->dF_r;
-        privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3;
-
-        if (params->is_product_form ||
-                (privkey_packed_indices_len <= privkey_packed_trits_len)) {
-            *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES;
-            *privkey_blob_len =
-                5 + pubkey_packed_len + privkey_packed_indices_len;
-        } else {
-            *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS;
-            *privkey_blob_len =
-                5 + pubkey_packed_len + privkey_packed_trits_len;
-        }
-    }
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
- *
- * Returns a public key blob, packed according to the packing type provided.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
-    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t const               *pubkey,             /*  in - pointer to the
-                                                               coefficients
-                                                               of the pubkey */
-    uint8_t                       pubkey_pack_type,   /* out - pubkey packing
-                                                               type */
-    uint8_t                      *pubkey_blob)        /* out - addr for the
-                                                               pubkey blob */
-{
-    assert(params);
-    assert(pubkey);
-    assert(pubkey_blob);
-
-    switch (pubkey_pack_type) {
-        case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS:
-            *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG;
-            *pubkey_blob++ = (uint8_t)sizeof(params->OID);
-            memcpy(pubkey_blob, params->OID, sizeof(params->OID));
-            pubkey_blob += sizeof(params->OID);
-            ntru_elements_2_octets(params->N, pubkey, params->q_bits,
-                                   pubkey_blob);
-            break;
-        default:
-            assert(FALSE);
-    }
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
- *
- * Returns a private key blob, packed according to the packing type provided.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_create_privkey_blob(
-    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t const               *pubkey,             /*  in - pointer to the
-                                                               coefficients
-                                                               of the pubkey */
-    uint16_t const               *privkey,            /*  in - pointer to the
-                                                               indices of the
-                                                               privkey */
-    uint8_t                       privkey_pack_type,  /*  in - privkey packing
-                                                               type */
-    uint8_t                      *buf,                /*  in - temp, N bytes */
-    uint8_t                      *privkey_blob)       /* out - addr for the
-                                                               privkey blob */
-{
-    assert(params);
-    assert(pubkey);
-    assert(privkey);
-    assert(privkey_blob);
-
-    switch (privkey_pack_type) {
-        case NTRU_ENCRYPT_KEY_PACKED_TRITS:
-        case NTRU_ENCRYPT_KEY_PACKED_INDICES:
-
-            /* format header and packed public key */
-
-            *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG;
-            *privkey_blob++ = (uint8_t)sizeof(params->OID);
-            memcpy(privkey_blob, params->OID, sizeof(params->OID));
-            privkey_blob += sizeof(params->OID);
-            ntru_elements_2_octets(params->N, pubkey, params->q_bits,
-                                   privkey_blob);
-            privkey_blob += (params->N * params->q_bits + 7) >> 3;
-
-            /* add packed private key */
-
-            if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) {
-                ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r,
-                                            (uint16_t)params->dF_r,
-                                            params->N, buf, privkey_blob);
-            } else {
-                uint32_t dF;
-
-                if (params->is_product_form) {
-                    dF =  (params->dF_r & 0xff) +
-                         ((params->dF_r >> 8) & 0xff) +
-                         ((params->dF_r >> 16) & 0xff);
-                } else {
-                    dF = params->dF_r;
-                }
-                ntru_elements_2_octets((uint16_t)dF << 1, privkey,
-                                       params->N_bits, privkey_blob);
-            }
-            break;
-        default:
-            assert(FALSE);
-            break;
-    }
-}
-
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
deleted file mode 100644
index 6734f2a4c..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
+++ /dev/null
@@ -1,167 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_cencrypt_key.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
-
-
-#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H
-#define NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H
-
-#include "ntru_crypto_ntru_convert.h"
-#include "ntru_crypto_ntru_encrypt_param_sets.h"
-
-
-/* key-blob definitions */
-
-#define NTRU_ENCRYPT_PUBKEY_TAG           0x01
-#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG  0x02
-#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG    0xfe
-#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG  0xff
-
-/* packing types */
-
-#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS    0x01
-#define NTRU_ENCRYPT_KEY_PACKED_INDICES         0x02
-#define NTRU_ENCRYPT_KEY_PACKED_TRITS           0x03
-
-/* function declarations */
-
-
-/* ntru_crypto_ntru_encrypt_key_parse
- *
- * Parses an NTRUEncrypt key blob.
- * If the blob is not corrupt, returns packing types for public and private
- * keys, a pointer to the parameter set, a pointer to the public key, and
- * a pointer to the private key if it exists.
- *
- * Returns TRUE if successful.
- * Returns FALSE if the blob is invalid.
- */
-
-extern bool
-ntru_crypto_ntru_encrypt_key_parse(
-    bool                     pubkey_parse,      /*  in - if parsing pubkey
-                                                         blob */
-    uint16_t                 key_blob_len,      /*  in - no. octets in key
-                                                         blob */
-    uint8_t const           *key_blob,          /*  in - pointer to key blob */
-    uint8_t                 *pubkey_pack_type,  /* out - addr for pubkey
-                                                         packing type */
-    uint8_t                 *privkey_pack_type, /* out - addr for privkey
-                                                         packing type */
-    NTRU_ENCRYPT_PARAM_SET **params,            /* out - addr for ptr to
-                                                         parameter set */
-    uint8_t const          **pubkey,            /* out - addr for ptr to
-                                                         packed pubkey */
-    uint8_t const          **privkey);          /* out - addr for ptr to
-                                                         packed privkey */
-
-
-/* ntru_crypto_ntru_encrypt_key_get_blob_params
- *
- * Returns public and private key packing types and blob lengths given
- * a packing format.  For now, only a default packing format exists.
- *
- * Only public-key params may be returned by setting privkey_pack_type
- * and privkey_blob_len to NULL.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_get_blob_params(
-    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint8_t                      *pubkey_pack_type,   /* out - addr for pubkey
-                                                               packing type */
-    uint16_t                     *pubkey_blob_len,    /* out - addr for no. of
-                                                               bytes in
-                                                               pubkey blob */
-    uint8_t                      *privkey_pack_type,  /* out - addr for privkey
-                                                               packing type */
-    uint16_t                     *privkey_blob_len);  /* out - addr for no. of
-                                                               bytes in
-                                                               privkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
- *
- * Returns a public key blob, packed according to the packing type provided.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
-    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t const               *pubkey,             /*  in - pointer to the
-                                                               coefficients
-                                                               of the pubkey */
-    uint8_t                       pubkey_pack_type,   /* out - addr for pubkey
-                                                               packing type */
-    uint8_t                      *pubkey_blob);       /* out - addr for the
-                                                               pubkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob
- *
- * Returns a public key blob, recreated from an already-packed public key.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob(
-    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t                      packed_pubkey_len,  /*  in - no. octets in
-                                                               packed pubkey */
-    uint8_t const                *packed_pubkey,      /*  in - pointer to the
-                                                               packed pubkey */
-    uint8_t                       pubkey_pack_type,   /* out - pubkey packing
-                                                               type */
-    uint8_t                      *pubkey_blob);       /* out - addr for the
-                                                               pubkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
- *
- * Returns a privlic key blob, packed according to the packing type provided.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_create_privkey_blob(
-    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t const               *pubkey,             /*  in - pointer to the
-                                                               coefficients
-                                                               of the pubkey */
-    uint16_t const               *privkey,            /*  in - pointer to the
-                                                               indices of the
-                                                               privkey */
-    uint8_t                       privkey_pack_type,  /*  in - privkey packing
-                                                               type */
-    uint8_t                      *buf,                /*  in - temp, N bytes */
-    uint8_t                      *privkey_blob);      /* out - addr for the
-                                                               privkey blob */
-
-
-#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
deleted file mode 100644
index e5e977a0e..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
+++ /dev/null
@@ -1,101 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_encrypt_param_sets.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_encrypt_param_sets.h
- *
- * Contents: Definitions and declarations for the NTRUEncrypt parameter sets.
- *
- *****************************************************************************/
-
-#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
-#define NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
-
-#include "ntru_crypto.h"
-
-/* structures */
-
-typedef struct _NTRU_ENCRYPT_PARAM_SET {
-    NTRU_ENCRYPT_PARAM_SET_ID id;                 /* parameter-set ID */
-    uint8_t const             OID[3];             /* pointer to OID */
-    uint8_t                   der_id;             /* parameter-set DER id */
-    uint8_t                   N_bits;             /* no. of bits in N (i.e. in
-                                                     an index */
-    uint16_t                  N;                  /* ring dimension */
-    uint16_t                  sec_strength_len;   /* no. of octets of
-                                                     security strength */
-    uint16_t                  q;                  /* big modulus */
-    uint8_t                   q_bits;             /* no. of bits in q (i.e. in
-                                                     a coefficient */
-    bool                      is_product_form;    /* if product form used */
-    uint32_t                  dF_r;               /* no. of 1 or -1 coefficients
-                                                     in ring elements F, r */
-    uint16_t                  dg;                 /* no. - 1 of 1 coefficients
-                                                     or no. of -1 coefficients
-                                                     in ring element g */
-    uint16_t                  m_len_max;          /* max no. of plaintext
-                                                     octets */
-    uint16_t                  min_msg_rep_wt;     /* min. message
-                                                     representative weight */
-    uint8_t                   c_bits;             /* no. bits in candidate for
-                                                     deriving an index in
-                                                     IGF-2 */
-    uint8_t                   m_len_len;          /* no. of octets to hold
-                                                     mLenOctets */
-} NTRU_ENCRYPT_PARAM_SET;
-
-
-
-/* function declarations */
-
-/* ntru_encrypt_get_params_with_id
- *
- * Looks up a set of NTRU Encrypt parameters based on the id of the
- * parameter set.
- *
- * Returns a pointer to the parameter set parameters if successful.
- * Returns NULL if the parameter set cannot be found.
- */
-
-extern NTRU_ENCRYPT_PARAM_SET *
-ntru_encrypt_get_params_with_id(
-    NTRU_ENCRYPT_PARAM_SET_ID id);  /*  in - parameter-set id */
-
-
-/* ntru_encrypt_get_params_with_OID
- *
- * Looks up a set of NTRU Encrypt parameters based on the OID of the
- * parameter set.
- *
- * Returns a pointer to the parameter set parameters if successful.
- * Returns NULL if the parameter set cannot be found.
- */
-
-extern NTRU_ENCRYPT_PARAM_SET *
-ntru_encrypt_get_params_with_OID(
-    uint8_t const *oid);            /*  in - pointer to parameter-set OID */
-
-#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H */
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
deleted file mode 100644
index 8e4eede87..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
+++ /dev/null
@@ -1,242 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_poly.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
-#include <stdlib.h>
-#include <string.h>
-#include "ntru_crypto_ntru_poly.h"
-
-/* ntru_poly_check_min_weight
- *
- * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
- * a minimum weight.
- */
-
-bool
-ntru_poly_check_min_weight(
-    uint16_t  num_els,              /*  in - degree of polynomial */
-    uint8_t  *ringels,              /*  in - pointer to trinary ring elements */
-    uint16_t  min_wt)               /*  in - minimum weight */
-{
-    uint16_t wt[3];
-    uint16_t i;
-
-    wt[0] = wt[1] = wt[2] = 0;
-    for (i = 0; i < num_els; i++) {
-       ++wt[ringels[i]];
-    }
-    if ((wt[0] < min_wt) || (wt[1] < min_wt) || (wt[2] < min_wt)) {
-        return FALSE;
-    }
-    return TRUE;
-}
-
-/* ntru_ring_mult_coefficients
- *
- * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
- * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
- * This is a convolution operation.
- *
- * Ring element "b" has coefficients in the range [0,N).
- *
- * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
- * beyond 16 bits does not matter.
- */
-
-void
-ntru_ring_mult_coefficients(
-    uint16_t const *a,          /*  in - pointer to polynomial a */
-    uint16_t const *b,          /*  in - pointer to polynomial b */
-    uint16_t        N,          /*  in - no. of coefficients in a, b, c */
-    uint16_t        q,          /*  in - large modulus */
-    uint16_t       *c)          /* out - address for polynomial c */
-{
-    uint16_t const *bptr = b;
-    uint16_t        mod_q_mask = q - 1;
-    uint16_t        i, k;
-
-    /* c[k] = sum(a[i] * b[k-i]) mod q */
-    memset(c, 0, N * sizeof(uint16_t));
-    for (k = 0; k < N; k++) {
-        i = 0;
-        while (i <= k)
-            c[k] += a[i++] * *bptr--;
-        bptr += N;
-        while (i < N)
-            c[k] += a[i++] * *bptr--;
-        c[k] &= mod_q_mask;
-        ++bptr;
-    }
-}
-
-
-/* ntru_ring_inv
- *
- * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
- *
- * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
- * wait until the end, and only 16-bit arrays need to be used.
- */
-
-bool
-ntru_ring_inv(
-    uint16_t       *a,          /*  in - pointer to polynomial a */
-    uint16_t        N,          /*  in - no. of coefficients in a */
-    uint16_t        q,          /*  in - large modulus */
-    uint16_t       *t,          /*  in - temp buffer of 2N elements */
-    uint16_t       *a_inv)      /* out - address for polynomial a^-1 */
-{
-    uint8_t  *b = (uint8_t *)t;     /* b cannot be in a_inv since it must be
-                                       rotated and copied there as a^-1 mod 2 */
-    uint8_t  *c = b + N;            /* c cannot be in a_inv since it exchanges
-                                       with b, and b cannot be in a_inv */
-    uint8_t  *f = c + N;
-    uint8_t  *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */
-    uint16_t *t2 = t + N;
-    uint16_t  deg_b;
-    uint16_t  deg_c;
-    uint16_t  deg_f;
-    uint16_t  deg_g;
-    uint16_t  k = 0;
-    bool      done = FALSE;
-    uint16_t  i, j;
-
-    /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
-    memset(b, 0, (N << 1));                /* clear to init b, c */
-
-    /* b(X) = 1 */
-    b[0] = 1;
-    deg_b = 0;
-
-    /* c(X) = 0 (cleared above) */
-    deg_c = 0;
-
-    /* f(X) = a(X) mod 2 */
-    for (i = 0; i < N; i++)
-        f[i] = (uint8_t)(a[i] & 1);
-    deg_f = N - 1;
-
-    /* g(X) = X^N - 1 */
-    g[0] = 1;
-    memset(g + 1, 0, N - 1);
-    g[N] = 1;
-    deg_g = N;
-
-    /* until f(X) = 1 */
-
-	while (!done)
-	{
-
-        /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
-
-        for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
-        if (i > deg_f)
-            return FALSE;
-        if (i) {
-            f = f + i;
-            deg_f = deg_f - i;
-            deg_c = deg_c + i;
-            for (j = deg_c; j >= i; j--)
-                c[j] = c[j-i];
-            for (j = 0; j < i; j++)
-                c[j] = 0;
-            k = k + i;
-        }
-
-        /* adjust degree of f(X) if the highest coefficients are zero
-         * Note: f[0] = 1 from above so the loop will terminate.
-         */
-
-        while (f[deg_f] == 0)
-            --deg_f;
-
-        /* if f(X) = 1, done
-         * Note: f[0] = 1 from above, so only check the x term and up
-         */
-
-        for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
-        if (i > deg_f) {
-            done = TRUE;
-            break;
-        }
-
-        /* if deg_f < deg_g, f <-> g, b <-> c */
-
-        if (deg_f < deg_g) {
-            uint8_t *x;
-
-            x = f;
-            f = g;
-            g = x;
-            deg_f ^= deg_g;
-            deg_g ^= deg_f;
-            deg_f ^= deg_g;
-            x = b;
-            b = c;
-            c = x;
-            deg_b ^= deg_c;
-            deg_c ^= deg_b;
-            deg_b ^= deg_c;
-        }
-
-        /* f(X) += g(X), b(X) += c(X) */
-
-        for (i = 0; i <= deg_g; i++)
-            f[i] ^= g[i];
-
-        if (deg_c > deg_b)
-            deg_b = deg_c;
-        for (i = 0; i <= deg_c; i++)
-            b[i] ^= c[i];
-    }
-
-    /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
-
-    j = 0;
-    if (k >= N)
-        k = k - N;
-    for (i = k; i < N; i++)
-        a_inv[j++] = (uint16_t)(b[i]);
-    for (i = 0; i < k; i++)
-        a_inv[j++] = (uint16_t)(b[i]);
-
-    /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
-
-    for (j = 0; j < 4; ++j) {       /* assumes 256 < q <= 65536 */
-
-        /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
-
-        memcpy(t2, a_inv, N * sizeof(uint16_t));
-        ntru_ring_mult_coefficients(a, t2, N, q, t);
-        for (i = 0; i < N; ++i)
-            t[i] = q - t[i];
-        t[0] = t[0] + 2;
-        ntru_ring_mult_coefficients(t2, t, N, q, a_inv);
-    }
-
-    return TRUE;
-
-
-}
-
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
deleted file mode 100644
index 1e9d467ed..000000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_poly.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
-/******************************************************************************
- *
- * File:  ntru_crypto_ntru_poly.h
- *
- * Contents: Public header file for generating and operating on polynomials
- *           in the NTRU algorithm.
- *
- *****************************************************************************/
-
-
-#ifndef NTRU_CRYPTO_NTRU_POLY_H
-#define NTRU_CRYPTO_NTRU_POLY_H
-
-
-#include "ntru_crypto.h"
-
-#include <crypto/hashers/hasher.h>
-
-
-/* function declarations */
-
-/* ntru_poly_check_min_weight
- *
- * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
- * a minimum weight.
- */
-
-extern bool
-ntru_poly_check_min_weight(
-    uint16_t  num_els,              /*  in - degree of polynomial */
-    uint8_t  *ringels,              /*  in - pointer to trinary ring elements */
-    uint16_t  min_wt);              /*  in - minimum weight */
-
-/* ntru_ring_mult_coefficients
- *
- * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
- * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
- * This is a convolution operation.
- *
- * Ring element "b" has coefficients in the range [0,N).
- *
- * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
- * beyond 16 bits does not matter.
- */
-
-extern void
-ntru_ring_mult_coefficients(
-    uint16_t const *a,          /*  in - pointer to polynomial a */
-    uint16_t const *b,          /*  in - pointer to polynomial b */
-    uint16_t        N,          /*  in - no. of coefficients in a, b, c */
-    uint16_t        q,          /*  in - large modulus */
-    uint16_t       *c);         /* out - address for polynomial c */
-
-
-/* ntru_ring_inv
- *
- * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
- *
- * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
- * wait until the end, and only 16-bit arrays need to be used.
- */
-
-extern bool
-ntru_ring_inv(
-    uint16_t       *a,          /*  in - pointer to polynomial a */
-    uint16_t        N,          /*  in - no. of coefficients in a */
-    uint16_t        q,          /*  in - large modulus */
-    uint16_t       *t,          /*  in - temp buffer of 2N elements */
-    uint16_t       *a_inv);     /* out - address for polynomial a^-1 */
-
-
-#endif /* NTRU_CRYPTO_NTRU_POLY_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.c b/src/libstrongswan/plugins/ntru/ntru_drbg.c
index 181a58939..ef0d3d9c8 100644
--- a/src/libstrongswan/plugins/ntru/ntru_drbg.c
+++ b/src/libstrongswan/plugins/ntru/ntru_drbg.c
@@ -67,6 +67,10 @@ struct private_ntru_drbg_t {
 	 */
 	chunk_t value;
 
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
 };
 
 /**
@@ -180,13 +184,23 @@ METHOD(ntru_drbg_t, generate, bool,
 	return TRUE;
 }
 
+METHOD(ntru_drbg_t, get_ref, ntru_drbg_t*,
+	private_ntru_drbg_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
 METHOD(ntru_drbg_t, destroy, void,
 	private_ntru_drbg_t *this)
 {
-	this->hmac->destroy(this->hmac);
-	chunk_clear(&this->key);
-	chunk_clear(&this->value);
-	free(this);
+	if (ref_put(&this->ref))
+	{
+		this->hmac->destroy(this->hmac);
+		chunk_clear(&this->key);
+		chunk_clear(&this->value);
+		free(this);
+	}
 }
 
 /*
@@ -238,6 +252,7 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
 			.get_strength = _get_strength,
 			.reseed = _reseed,
 			.generate = _generate,
+			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
 		.strength = strength,
@@ -247,6 +262,7 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
 		.value = chunk_alloc(hmac->get_block_size(hmac)),
 		.max_requests = max_requests,
 		.reseed_counter = 1,
+		.ref = 1,
 	);
 
 	memset(this->key.ptr, 0x00, this->key.len);
diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.h b/src/libstrongswan/plugins/ntru/ntru_drbg.h
index 38ac718ae..83cef11be 100644
--- a/src/libstrongswan/plugins/ntru/ntru_drbg.h
+++ b/src/libstrongswan/plugins/ntru/ntru_drbg.h
@@ -58,6 +58,13 @@ struct ntru_drbg_t {
 										u_int8_t *out);
 
 	/**
+	 * Get a reference on an ntru_drbg_t object increasing the count by one
+	 *
+	 * @return			reference to the ntru_drbg_t object
+	 */
+	ntru_drbg_t* (*get_ref)(ntru_drbg_t *this);
+
+	/**
 	 * Uninstantiate and destroy the DRBG object
 	 */
 	void (*destroy)(ntru_drbg_t *this);
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
index 39fb261cd..abaa22336 100644
--- a/src/libstrongswan/plugins/ntru/ntru_ke.c
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,54 +15,33 @@
 
 #include "ntru_ke.h"
 #include "ntru_drbg.h"
-
-#include "ntru_crypto/ntru_crypto.h"
+#include "ntru_param_set.h"
+#include "ntru_private_key.h"
+#include "ntru_public_key.h"
 
 #include <crypto/diffie_hellman.h>
 #include <utils/debug.h>
 
 typedef struct private_ntru_ke_t private_ntru_ke_t;
-typedef struct param_set_t param_set_t;
-
-/**
- * Defines an NTRU parameter set by ID or OID
- */
-struct param_set_t {
-	NTRU_ENCRYPT_PARAM_SET_ID id;
-	char oid[3];
-	char *name;
-};
 
 /* Best bandwidth and speed, no X9.98 compatibility */
-static param_set_t param_sets_optimum[] = {
-	{ NTRU_EES401EP2,  {0x00, 0x02, 0x10}, "ees401ep2"  },
-	{ NTRU_EES439EP1,  {0x00, 0x03, 0x10}, "ees439ep1"  },
-	{ NTRU_EES593EP1,  {0x00, 0x05, 0x10}, "ees593ep1"  },
-	{ NTRU_EES743EP1,  {0x00, 0x06, 0x10}, "ees743ep1"  }
+static ntru_param_set_id_t param_sets_optimum[] = {
+	NTRU_EES401EP2, NTRU_EES439EP1, NTRU_EES593EP1, NTRU_EES743EP1
 };
 
 /* X9.98/IEEE 1363.1 parameter sets for best speed */
-static param_set_t param_sets_x9_98_speed[] = {
-	{ NTRU_EES659EP1,  {0x00, 0x02, 0x06}, "ees659ep1"  },
-	{ NTRU_EES761EP1,  {0x00, 0x03, 0x05}, "ees761ep1"  },
-	{ NTRU_EES1087EP1, {0x00, 0x05, 0x05}, "ees1087ep1" },
-	{ NTRU_EES1499EP1, {0x00, 0x06, 0x05}, "ees1499ep1" }
+static ntru_param_set_id_t param_sets_x9_98_speed[] = {
+	NTRU_EES659EP1, NTRU_EES761EP1, NTRU_EES1087EP1, NTRU_EES1499EP1
 };
 
 /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
-static param_set_t param_sets_x9_98_bandwidth[] = {
-	{ NTRU_EES401EP1,  {0x00, 0x02, 0x04}, "ees401ep1"  },
-	{ NTRU_EES449EP1,  {0x00, 0x03, 0x03}, "ees449ep1"  },
-	{ NTRU_EES677EP1,  {0x00, 0x05, 0x03}, "ees677ep1"  },
-	{ NTRU_EES1087EP2, {0x00, 0x06, 0x03}, "ees1087ep2" }
+static ntru_param_set_id_t param_sets_x9_98_bandwidth[] = {
+	NTRU_EES401EP1, NTRU_EES449EP1, NTRU_EES677EP1, NTRU_EES1087EP2
 };
 
 /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
-static param_set_t param_sets_x9_98_balance[] = {
-	{ NTRU_EES541EP1,  {0x00, 0x02, 0x05}, "ees541ep1"  },
-	{ NTRU_EES613EP1,  {0x00, 0x03, 0x04}, "ees613ep1"  },
-	{ NTRU_EES887EP1,  {0x00, 0x05, 0x04}, "ees887ep1"  },
-	{ NTRU_EES1171EP1, {0x00, 0x06, 0x04}, "ees1171ep1" }
+static ntru_param_set_id_t param_sets_x9_98_balance[] = {
+	NTRU_EES541EP1, NTRU_EES613EP1, NTRU_EES887EP1, NTRU_EES1171EP1
 };
 
 /**
@@ -82,7 +61,7 @@ struct private_ntru_ke_t {
 	/**
 	 * NTRU Parameter Set
 	 */
-	param_set_t *param_set;
+	ntru_param_set_t *param_set;
 
 	/**
 	 * Cryptographical strength in bits of the NTRU Parameter Set
@@ -92,12 +71,12 @@ struct private_ntru_ke_t {
 	/**
 	 * NTRU Public Key
 	 */
-	chunk_t pub_key;
+	ntru_public_key_t *pubkey;
 
 	/**
 	 * NTRU Private Key
 	 */
-	chunk_t priv_key;
+	ntru_private_key_t *privkey;
 
 	/**
 	 * NTRU encrypted shared secret
@@ -133,8 +112,6 @@ struct private_ntru_ke_t {
 METHOD(diffie_hellman_t, get_my_public_value, void,
 	private_ntru_ke_t *this, chunk_t *value)
 {
-    uint16_t pub_key_len, priv_key_len;
-
 	*value = chunk_empty;
 
 	if (this->responder)
@@ -146,34 +123,19 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
 	}
 	else
 	{
-		if (this->pub_key.len == 0)
+		if (!this->pubkey)
 		{
-			/* determine the NTRU public and private key sizes */
-			if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
-								&pub_key_len, NULL,
-				 				&priv_key_len, NULL) != NTRU_OK)
-			{
-				DBG1(DBG_LIB, "error determining NTRU public and private key "
-							  "sizes");
-				return;
-			}
-			this->pub_key  = chunk_alloc(pub_key_len);
-			this->priv_key = chunk_alloc(priv_key_len);
-
 			/* generate a random NTRU public/private key pair */
-		    if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
-								&pub_key_len, this->pub_key.ptr,
-				 				&priv_key_len, this->priv_key.ptr) != NTRU_OK)
+			this->privkey = ntru_private_key_create(this->drbg, this->param_set);
+			if (!this->privkey)
 			{
 				DBG1(DBG_LIB, "NTRU keypair generation failed");
-				chunk_free(&this->priv_key);
-				chunk_free(&this->pub_key);
 				return;
 			}
-			DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key);
-			DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key);
+			this->pubkey = this->privkey->get_public_key(this->privkey);
 		}
-		*value = chunk_clone(this->pub_key);
+		*value = chunk_clone(this->pubkey->get_encoding(this->pubkey));
+		DBG3(DBG_LIB, "NTRU public key: %B", value);
 	}
 }
 
@@ -194,9 +156,7 @@ METHOD(diffie_hellman_t, get_shared_secret, status_t,
 METHOD(diffie_hellman_t, set_other_public_value, void,
 	private_ntru_ke_t *this, chunk_t value)
 {
-	u_int16_t plaintext_len, ciphertext_len;
-
-	if (this->priv_key.len)
+	if (this->privkey)
 	{
 		/* initiator decrypting shared secret */
 		if (value.len == 0)
@@ -204,48 +164,36 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 			DBG1(DBG_LIB, "empty NTRU ciphertext");
 			return;
 		}
-		this->ciphertext = chunk_clone(value);
-		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
-
-		/* determine the size of the maximum plaintext */
-    	if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
-								this->ciphertext.len, this->ciphertext.ptr,
-								&plaintext_len, NULL) != NTRU_OK)
-		{
-			DBG1(DBG_LIB, "error determining maximum plaintext size");
-			return;
-		}
-		this->shared_secret = chunk_alloc(plaintext_len);
+		DBG3(DBG_LIB, "NTRU ciphertext: %B", &value);
 
 		/* decrypt the shared secret */
-    	if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
-						this->ciphertext.len, this->ciphertext.ptr,
-						&plaintext_len, this->shared_secret.ptr) != NTRU_OK)
+ 		if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret))
 		{
 			DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
-			chunk_free(&this->shared_secret);
 			return;
 		}
-		this->shared_secret.len = plaintext_len;
 		this->computed = TRUE;
 	}
 	else
 	{
+		ntru_public_key_t *pubkey;
+
 		/* responder generating and encrypting the shared secret */
 		this->responder = TRUE;
 
-		/* check the NTRU public key format */
-		if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3)
+		DBG3(DBG_LIB, "NTRU public key: %B", &value);
+		pubkey = ntru_public_key_create_from_data(this->drbg, value);
+		if (!pubkey)
 		{
-			DBG1(DBG_LIB, "received NTRU public key with invalid header");
 			return;
 		}
-		if (!memeq(value.ptr + 2, this->param_set->oid, 3))
+		if (pubkey->get_id(pubkey) != this->param_set->id)
 		{
-			DBG1(DBG_LIB, "received NTRU public key with wrong OID");
+			DBG1(DBG_LIB, "received NTRU public key with wrong OUI");
+			pubkey->destroy(pubkey);
 			return;
 		}
-		this->pub_key = chunk_clone(value);
+		this->pubkey = pubkey;
 
 		/* shared secret size is chosen as twice the cryptographical strength */
 		this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
@@ -260,25 +208,10 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 		}
 		this->computed = TRUE;
 
-		/* determine the size of the ciphertext */
-		if (ntru_crypto_ntru_encrypt(this->drbg,
-							this->pub_key.len,	this->pub_key.ptr,
-							this->shared_secret.len, this->shared_secret.ptr,
-                            &ciphertext_len, NULL) != NTRU_OK)
-		{
-			DBG1(DBG_LIB, "error determining ciphertext size");
-			return;
-		}
-		this->ciphertext = chunk_alloc(ciphertext_len);
-
 		/* encrypt the shared secret */
-		if (ntru_crypto_ntru_encrypt(this->drbg,
-							this->pub_key.len,	this->pub_key.ptr,
-							this->shared_secret.len, this->shared_secret.ptr,
-                            &ciphertext_len, this->ciphertext.ptr) != NTRU_OK)
+		if (!pubkey->encrypt(pubkey, this->shared_secret, &this->ciphertext))
 		{
 			DBG1(DBG_LIB, "NTRU encryption of shared secret failed");
-			chunk_free(&this->ciphertext);
 			return;
 		}
 		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
@@ -294,11 +227,11 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
 METHOD(diffie_hellman_t, destroy, void,
 	private_ntru_ke_t *this)
 {
+	DESTROY_IF(this->privkey);
+	DESTROY_IF(this->pubkey);
 	this->drbg->destroy(this->drbg);
 	this->entropy->destroy(this->entropy);
-	chunk_free(&this->pub_key);
 	chunk_free(&this->ciphertext);
-	chunk_clear(&this->priv_key);
 	chunk_clear(&this->shared_secret);
 	free(this);
 }
@@ -309,7 +242,7 @@ METHOD(diffie_hellman_t, destroy, void,
 ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 {
 	private_ntru_ke_t *this;
-	param_set_t *param_sets, *param_set;
+	ntru_param_set_id_t *param_sets, param_set_id;
 	rng_t *entropy;
 	ntru_drbg_t *drbg;
 	char *parameter_set;
@@ -339,25 +272,25 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 	{
 		case NTRU_112_BIT:
 			strength = 112;
-			param_set = &param_sets[0];
+			param_set_id = param_sets[0];
 			break;
 		case NTRU_128_BIT:
 			strength = 128;
-			param_set = &param_sets[1];
+			param_set_id = param_sets[1];
 			break;
 		case NTRU_192_BIT:
 			strength = 192;
-			param_set = &param_sets[2];
+			param_set_id = param_sets[2];
 			break;
 		case NTRU_256_BIT:
 			strength = 256;
-			param_set = &param_sets[3];
+			param_set_id = param_sets[3];
 			break;
 		default:
 			return NULL;
 	}
-	DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength,
-				   parameter_set, param_set->name);
+	DBG1(DBG_LIB, "%u bit %s NTRU parameter set %N selected", strength,
+				   parameter_set, ntru_param_set_id_names, param_set_id);
 
 	entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 	if (!entropy)
@@ -385,7 +318,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 			},
 		},
 		.group = group,
-		.param_set = param_set,
+		.param_set = ntru_param_set_get_by_id(param_set_id),
 		.strength = strength,
 		.entropy = entropy,
 		.drbg = drbg,
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c b/src/libstrongswan/plugins/ntru/ntru_param_set.c
index 5ddf91d2a..4af1e3091 100644
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c
+++ b/src/libstrongswan/plugins/ntru/ntru_param_set.c
@@ -1,44 +1,49 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
- *
- * ntru_crypto_ntru_param_sets.c is a component of ntru-crypto.
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2009-2013  Security Innovation
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- *****************************************************************************/
- 
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_encrypt_param_sets.c
  *
- * Contents: Defines the NTRUEncrypt parameter sets.
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  *
- *****************************************************************************/
-
-#include <stdlib.h>
-#include <string.h>
-#include "ntru_crypto_ntru_encrypt_param_sets.h"
-
-
-/* parameter sets */
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
-static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
+#include "ntru_param_set.h"
+
+#include <utils/test.h>
+
+ENUM(ntru_param_set_id_names, NTRU_EES401EP1, NTRU_EES743EP1,
+	"ees401ep1",
+	"ees449ep1",
+	"ees677ep1",
+	"ees1087ep2",
+	"ees541ep1",
+	"ees613ep1",
+	"ees887ep1",
+	"ees1171ep1",
+	"ees659ep1",
+	"ees761ep1",
+	"ees1087ep1",
+	"ees1499ep1",
+	"ees401ep2",
+	"ees439ep1",
+	"ees593ep1",
+	"ees743ep1"
+);
+
+/**
+ * NTRU encryption parameter set definitions
+ */
+static ntru_param_set_t ntru_param_sets[] = {
 
+	/* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
     {
         NTRU_EES401EP1,              /* parameter-set id */
         {0x00, 0x02, 0x04},          /* OID */
@@ -97,7 +102,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
         NTRU_EES1087EP2,             /* parameter-set id */
         {0x00, 0x06, 0x03},          /* OID */
         0x25,                        /* DER id */
-        10,                          /* no. of bits in N (i.e., in an index) */
+        11,                          /* no. of bits in N (i.e., in an index) */
         1087,                        /* N */
         32,                          /* security strength in octets */
         2048,                        /* q */
@@ -111,6 +116,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
         1,                           /* lLen */
     },
 
+	/* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
     {
         NTRU_EES541EP1,              /* parameter-set id */
         {0x00, 0x02, 0x05},          /* OID */
@@ -183,6 +189,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
         1,                           /* lLen */
     },
 
+	/* X9.98/IEEE 1363.1 parameter sets for best speed */
     {
         NTRU_EES659EP1,              /* parameter-set id */
         {0x00, 0x02, 0x06},          /* OID */
@@ -255,6 +262,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
         1,                           /* lLen */
     },
 
+	/* Best bandwidth and speed, no X9.98 compatibility */
     {
         NTRU_EES401EP2,              /* parameter-set id */
         {0x00, 0x02, 0x10},          /* OID */
@@ -329,56 +337,39 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
 
 };
 
-static size_t numParamSets =
-                sizeof(ntruParamSets)/sizeof(NTRU_ENCRYPT_PARAM_SET);
-
-
-/* functions */
-
-/* ntru_encrypt_get_params_with_id
- *
- * Looks up a set of NTRUEncrypt parameters based on the id of the
- * parameter set.
- *
- * Returns a pointer to the parameter set parameters if successful.
- * Returns NULL if the parameter set cannot be found.
+/**
+ * See header.
  */
-
-NTRU_ENCRYPT_PARAM_SET *
-ntru_encrypt_get_params_with_id(
-    NTRU_ENCRYPT_PARAM_SET_ID id)   /*  in - parameter-set id */
+ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id)
 {
-    size_t i;
-
-    for (i = 0; i < numParamSets; i++) {
-        if (ntruParamSets[i].id == id) {
-            return &(ntruParamSets[i]);
-        }
-    }
-    return NULL;
+	int i;
+
+	for (i = 0; i < countof(ntru_param_sets); i++)
+	{
+		if (ntru_param_sets[i].id == id)
+		{
+			return &ntru_param_sets[i];
+		}
+	}
+	return NULL;
 }
 
 
-/* ntru_encrypt_get_params_with_OID
- *
- * Looks up a set of NTRUEncrypt parameters based on the OID of the
- * parameter set.
- *
- * Returns a pointer to the parameter set parameters if successful.
- * Returns NULL if the parameter set cannot be found.
+/**
+ * See header.
  */
-
-NTRU_ENCRYPT_PARAM_SET *
-ntru_encrypt_get_params_with_OID(
-    uint8_t const *oid)             /*  in - pointer to parameter-set OID */
+ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid)
 {
-    size_t i;
-
-    for (i = 0; i < numParamSets; i++) {
-        if (!memcmp(ntruParamSets[i].OID, oid, 3)) {
-            return &(ntruParamSets[i]);
-        }
-    }
-    return NULL;
+	int i;
+
+	for (i = 0; i < countof(ntru_param_sets); i++)
+	{
+		if (memeq(ntru_param_sets[i].oid, oid, 3))
+		{
+			return &ntru_param_sets[i];
+		}
+	}
+	return NULL;
 }
 
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id);
diff --git a/src/libstrongswan/plugins/ntru/ntru_param_set.h b/src/libstrongswan/plugins/ntru/ntru_param_set.h
new file mode 100644
index 000000000..df4e55333
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_param_set.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_param_set ntru_param_set
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PARAM_SET_H_
+#define NTRU_PARAM_SET_H_
+
+typedef enum ntru_param_set_id_t ntru_param_set_id_t;
+typedef struct ntru_param_set_t ntru_param_set_t;
+
+#include <library.h>
+
+/**
+ * Encoding types for NTRU encryption public/private key blobs
+ */
+#define NTRU_PUBKEY_TAG           0x01
+#define NTRU_PRIVKEY_DEFAULT_TAG  0x02
+#define NTRU_PRIVKEY_TRITS_TAG    0xfe
+#define NTRU_PRIVKEY_INDICES_TAG  0xff
+
+/**
+ * Size in octets of the OID designating the NTRU encryption parameter set
+ */
+#define NTRU_OID_LEN	3
+
+/**
+ * Packing types for NTRU encryption public/private keys
+ */
+#define NTRU_KEY_PACKED_COEFFICIENTS    0x01
+#define NTRU_KEY_PACKED_INDICES         0x02
+#define NTRU_KEY_PACKED_TRITS           0x03
+
+/**
+ * NTRU encryption parameter set ID list
+ */
+enum ntru_param_set_id_t {
+	/* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
+	NTRU_EES401EP1,
+	NTRU_EES449EP1,
+	NTRU_EES677EP1,
+	NTRU_EES1087EP2,
+	/* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
+	NTRU_EES541EP1,
+	NTRU_EES613EP1,
+	NTRU_EES887EP1,
+	NTRU_EES1171EP1,
+	/* X9.98/IEEE 1363.1 parameter sets for best speed */
+	NTRU_EES659EP1,
+	NTRU_EES761EP1,
+	NTRU_EES1087EP1,
+	NTRU_EES1499EP1,
+	/* Best bandwidth and speed, no X9.98 compatibility */
+	NTRU_EES401EP2,
+	NTRU_EES439EP1,
+	NTRU_EES593EP1,
+	NTRU_EES743EP1,
+};
+
+extern enum_name_t *ntru_param_set_id_names;
+
+/**
+ * NTRU encryption parameter set definitions
+ */
+struct ntru_param_set_t {
+	ntru_param_set_id_t id;     /* NTRU parameter set ID */
+	uint8_t  oid[NTRU_OID_LEN]; /* pointer to OID */
+	uint8_t  der_id;            /* parameter-set DER id */
+	uint8_t  N_bits;            /* no. of bits in N (i.e. in an index */
+	uint16_t N;                 /* ring dimension */
+	uint16_t sec_strength_len;  /* no. of octets of security strength */
+	uint16_t q;                 /* big modulus */
+	uint8_t  q_bits;            /* no. of bits in q (i.e. in a coefficient */
+	bool     is_product_form;   /* if product form used */
+	uint32_t dF_r;              /* no. of +1 or -1 coefficients in ring elements
+                                   F, r */
+	uint16_t dg;                /* no. - 1 of +1 coefficients or
+                                   no. of -1 coefficients in ring element g */
+	uint16_t m_len_max;         /* max no. of plaintext octets */
+	uint16_t min_msg_rep_wt;    /* min. message representative weight */
+	uint8_t  c_bits;            /* no. bits in candidate for deriving an index */
+	uint8_t  m_len_len;         /* no. of octets to hold mLenOctets */
+};
+
+/**
+ * Get NTRU encryption parameter set by NTRU parameter set ID
+ *
+ * @param id	NTRU parameter set ID
+ * @return		NTRU parameter set
+*/
+ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id);
+
+/**
+ * Get NTRU encryption parameter set by NTRU parameter set OID
+ *
+ * @param oid	NTRU parameter set OID
+ * @return		NTRU parameter set
+*/
+ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid);
+
+#endif /** NTRU_PARAM_SET_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c
index 3f754f2a0..77ab54a5c 100644
--- a/src/libstrongswan/plugins/ntru/ntru_poly.c
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.c
@@ -239,11 +239,29 @@ METHOD(ntru_poly_t, destroy, void,
 	free(this);
 }
 
-static void init_indices(private_ntru_poly_t *this, bool is_product_form,
-						 uint32_t indices_len_p, uint32_t indices_len_m)
+/**
+ * Creates an empty ntru_poly_t object with space allocated for indices
+ */
+static private_ntru_poly_t* ntru_poly_create(uint16_t N, uint16_t q,
+											 uint32_t indices_len_p,
+											 uint32_t indices_len_m,
+											 bool is_product_form)
 {
+	private_ntru_poly_t *this;
 	int n;
 
+	INIT(this,
+		.public = {
+			.get_size = _get_size,
+			.get_indices = _get_indices,
+			.get_array = _get_array,
+			.ring_mult = _ring_mult,
+			.destroy = _destroy,
+		},
+		.N = N,
+		.q = q,
+	);
+
 	if (is_product_form)
 	{
 		this->num_polynomials = 3;
@@ -265,6 +283,8 @@ static void init_indices(private_ntru_poly_t *this, bool is_product_form,
 		this->num_indices = indices_len_p + indices_len_m;
 	}
 	this->indices = malloc(sizeof(uint16_t) * this->num_indices);
+
+	return this;
 }
 
 /*
@@ -291,19 +311,8 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
 	}
 	i = hash_len = mgf1->get_hash_size(mgf1);
 
-	INIT(this,
-		.public = {
-			.get_size = _get_size,
-			.get_indices = _get_indices,
-			.get_array = _get_array,
-			.ring_mult = _ring_mult,
-			.destroy = _destroy,
-		},
-		.N = N,
-		.q = q,
-	);
+	this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form);
 
-	init_indices(this, is_product_form, indices_len_p, indices_len_m);
 	used = malloc(N);
 	limit = N * ((1 << c_bits) / N);
 
@@ -390,19 +399,8 @@ ntru_poly_t *ntru_poly_create_from_data(uint16_t *data, uint16_t N, uint16_t q,
 	private_ntru_poly_t *this;
 	int i;
 
-	INIT(this,
-		.public = {
-			.get_size = _get_size,
-			.get_indices = _get_indices,
-			.get_array = _get_array,
-			.ring_mult = _ring_mult,
-			.destroy = _destroy,
-		},
-		.N = N,
-		.q = q,
-	);
+	this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form);
 
-	init_indices(this, is_product_form, indices_len_p, indices_len_m);
 	for (i = 0; i < this->num_indices; i++)
 	{
 		this->indices[i] = data[i];
diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.c b/src/libstrongswan/plugins/ntru/ntru_private_key.c
new file mode 100644
index 000000000..fa87fe9c3
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_private_key.c
@@ -0,0 +1,892 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_private_key.h"
+#include "ntru_trits.h"
+#include "ntru_poly.h"
+#include "ntru_convert.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_private_key_t private_ntru_private_key_t;
+
+/**
+ * Private data of an ntru_private_key_t object.
+ */
+struct private_ntru_private_key_t {
+
+	/**
+	 * Public ntru_private_key_t interface.
+	 */
+	ntru_private_key_t public;
+
+	/**
+	 * NTRU Parameter Set
+	 */
+	ntru_param_set_t *params;
+
+	/**
+	 * Polynomial F which is the private key
+	 */
+	ntru_poly_t *privkey;
+
+	/**
+	 * Polynomial h which is the public key
+	 */
+	uint16_t *pubkey;
+
+	/**
+	 * Encoding of the private key
+	 */
+	chunk_t encoding;
+
+	/**
+	 * Deterministic Random Bit Generator
+	 */
+	ntru_drbg_t *drbg;
+
+};
+
+METHOD(ntru_private_key_t, get_id, ntru_param_set_id_t,
+	private_ntru_private_key_t *this)
+{
+	return this->params->id;
+}
+
+METHOD(ntru_private_key_t, get_public_key, ntru_public_key_t*,
+	private_ntru_private_key_t *this)
+{
+	return ntru_public_key_create(this->drbg, this->params, this->pubkey);
+}
+
+/**
+ * Generate NTRU encryption private key encoding
+ */
+static void generate_encoding(private_ntru_private_key_t *this)
+{
+	size_t pubkey_len, privkey_len, privkey_trits_len, privkey_indices_len;
+	int privkey_pack_type;
+	uint16_t *indices;
+	uint8_t *trits;
+	u_char *enc;
+
+	/* compute public key length encoded as packed coefficients */
+	pubkey_len =  (this->params->N * this->params->q_bits + 7) / 8;
+
+	/* compute private key length encoded as packed trits coefficients */
+	privkey_trits_len = (this->params->N + 4) / 5;
+
+	/* compute private key length encoded as packed indices */
+	privkey_indices_len = (this->privkey->get_size(this->privkey) *
+						   this->params->N_bits + 7) / 8;
+
+	if (this->params->is_product_form ||
+		privkey_indices_len <= privkey_trits_len)
+	{
+		privkey_pack_type = NTRU_KEY_PACKED_INDICES;
+		privkey_len = privkey_indices_len;
+	}
+	else
+	{
+		privkey_pack_type = NTRU_KEY_PACKED_TRITS;
+		privkey_len = privkey_trits_len;
+       }
+
+	/* allocate memory for private key encoding */
+	this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len + privkey_len);
+	enc = this->encoding.ptr;
+
+	/* format header and packed public key */
+	*enc++ = NTRU_PRIVKEY_DEFAULT_TAG;
+	*enc++ = NTRU_OID_LEN;
+	memcpy(enc, this->params->oid, NTRU_OID_LEN);
+	enc += NTRU_OID_LEN;
+	ntru_elements_2_octets(this->params->N, this->pubkey,
+						   this->params->q_bits, enc);
+	enc += pubkey_len;
+
+	/* add packed private key */
+	indices = this->privkey->get_indices(this->privkey);
+
+	if (privkey_pack_type == NTRU_KEY_PACKED_TRITS)
+	{
+		/* encode private key as packed trits */
+		trits = malloc(this->params->N);
+		ntru_indices_2_packed_trits(indices, this->params->dF_r,
+							this->params->dF_r, this->params->N, trits, enc);
+		memwipe(trits, this->params->N);
+		free(trits);
+	}
+	else
+	{
+		/* encode private key as packed indices */
+		ntru_elements_2_octets(this->privkey->get_size(this->privkey),
+							   indices, this->params->N_bits, enc);
+	}
+}
+
+METHOD(ntru_private_key_t, get_encoding, chunk_t,
+	private_ntru_private_key_t *this)
+{
+	return this->encoding;
+}
+
+/** 
+ * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
+ * a minimum weight.
+ *
+ * @param N			degree of polynomial
+ * @param t			array of trinary ring elements
+ * @param min_wt	minimum weight
+ * @return			TRUE if minimum weight met or exceeded
+ */
+bool ntru_check_min_weight(uint16_t N, uint8_t  *t, uint16_t min_wt)
+{
+	uint16_t wt[3];
+	bool success;
+	int i;
+
+	wt[0] = wt[1] = wt[2] = 0;
+
+	for (i = 0; i < N; i++)
+	{
+		++wt[t[i]];
+	}
+	success = (wt[0] >= min_wt) && (wt[1] >= min_wt) && (wt[2] >= min_wt);
+
+	DBG2(DBG_LIB, "minimum weight = %u, so -1: %u, 0: %u, +1: %u is %sok",
+				   min_wt, wt[2], wt[0], wt[1], success ? "" : "not ");
+
+	return success;
+}
+
+METHOD(ntru_private_key_t, decrypt, bool,
+	private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext)
+{
+	hash_algorithm_t hash_algid;
+	size_t t_len, seed1_len, seed2_len;
+	uint16_t *t1, *t2, *t = NULL;
+    uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros;
+	uint8_t *Mtrin, *M, *cm, *mask_trits, *ptr;
+	int16_t m1 = 0;
+	chunk_t seed = chunk_empty;
+	ntru_trits_t *mask;
+	ntru_poly_t *r_poly;
+	bool msg_rep_good, success = TRUE;
+	int i;
+
+	*plaintext = chunk_empty;
+
+	if (ciphertext.len != (this->params->N * this->params->q_bits + 7) / 8)
+	{
+		DBG1(DBG_LIB, "wrong NTRU ciphertext length");
+		return FALSE;
+	}
+
+	/* allocate temporary array t */
+	t_len  = 2 * this->params->N * sizeof(uint16_t);
+	t = malloc(t_len);
+	t1 = t;
+	t2 = t + this->params->N;
+	Mtrin = (uint8_t *)t1;
+	M = Mtrin + this->params->N;
+
+	/* set hash algorithm based on security strength */
+	hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
+														  HASH_SHA256;
+
+	/* set constants */
+	mod_q_mask = this->params->q - 1;
+	q_mod_p = this->params->q % 3;
+
+    /* unpack the ciphertext */
+    ntru_octets_2_elements(ciphertext.len, ciphertext.ptr,
+						   this->params->q_bits, t2);
+
+	/* form cm':
+	 *  F * e
+	 *  A = e * (1 + pF) mod q = e + pFe mod q
+	 *  a = A in the range [-q/2, q/2)
+	 *  cm' = a mod p
+	 */
+	this->privkey->ring_mult(this->privkey, t2, t1);
+
+	cmprime_len = this->params->N;
+	if (this->params->is_product_form)
+	{
+		--cmprime_len;
+		for (i = 0; i < cmprime_len; i++)
+		{
+			t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask;
+			if (t1[i] >= (this->params->q / 2))
+			{
+				t1[i] -= q_mod_p;
+			}
+			Mtrin[i] = (uint8_t)(t1[i] % 3);
+			if (Mtrin[i] == 1)
+			{
+				++m1;
+			}
+			else if (Mtrin[i] == 2)
+			{
+				--m1;
+			}
+		}
+	}
+	else
+	{
+		for (i = 0; i < cmprime_len; i++)
+		{
+			t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask;
+			if (t1[i] >= (this->params->q / 2))
+			{
+				t1[i] -= q_mod_p;
+			}
+			Mtrin[i] = (uint8_t)(t1[i] % 3);
+		}
+	}
+
+    /**
+	 * check that the candidate message representative meets
+     * minimum weight requirements
+     */
+	if (this->params->is_product_form)
+	{
+		msg_rep_good = (abs(m1) <= this->params->min_msg_rep_wt);
+	}
+	else
+	{
+		msg_rep_good = ntru_check_min_weight(cmprime_len, Mtrin,
+											 this->params->min_msg_rep_wt);
+	}
+	if (!msg_rep_good)
+	{
+		DBG1(DBG_LIB, "decryption failed due to unsufficient minimum weight");
+		success = FALSE;
+	}
+
+	/* form cR = e - cm' mod q */
+	for (i = 0; i < cmprime_len; i++)
+	{
+		if (Mtrin[i] == 1)
+		{
+			t2[i] = (t2[i] - 1) & mod_q_mask;
+		}
+		else if (Mtrin[i] == 2)
+		{
+			t2[i] = (t2[i] + 1) & mod_q_mask;
+		}
+	}
+	if (this->params->is_product_form)
+	{
+		t2[i] = (t2[i] + m1) & mod_q_mask;
+	}
+
+	/* allocate memory for the larger of the two seeds */
+	seed1_len = (this->params->N + 3)/4;
+	seed2_len = 3 + 2*this->params->sec_strength_len + this->params->m_len_max;
+	seed = chunk_alloc(max(seed1_len, seed2_len));
+	seed.len = seed1_len;
+
+	/* form cR mod 4 */
+	ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr);
+
+	/* form mask */
+	mask = ntru_trits_create(this->params->N, hash_algid, seed);
+	if (!mask)
+	{
+		DBG1(DBG_LIB, "mask creation failed");
+		success = FALSE;
+		goto err;
+	}
+
+	mask_trits = mask->get_trits(mask);
+
+	/* form cMtrin by subtracting mask from cm', mod p */
+	for (i = 0; i < cmprime_len; i++)
+	{
+		Mtrin[i] -=  mask_trits[i];
+		if (Mtrin[i] >= 3)
+		{
+			Mtrin[i] += 3;
+		}
+	}
+	mask->destroy(mask);
+
+	if (this->params->is_product_form)
+	{
+		/* set the last trit to zero since that's what it was, and
+		 * because it can't be calculated from (cm' - mask) since
+		 * we don't have the correct value for the last cm' trit
+		 */
+		Mtrin[i] = 0;
+	}
+
+	/* convert cMtrin to cM (Mtrin to Mbin) */
+	if (!ntru_trits_2_bits(Mtrin, this->params->N, M))
+	{
+		success = FALSE;
+		goto err;
+	}
+
+	/* skip the random padding */
+       ptr = M + this->params->sec_strength_len;
+
+	/* validate the padded message cM and copy cm to m_buf */
+	if (this->params->m_len_len == 2)
+	{
+		cm_len = (uint16_t)(*ptr++) << 16;
+	}
+	cm_len |= (uint16_t)(*ptr++);
+
+	if (cm_len > this->params->m_len_max)
+	{
+		cm_len = this->params->m_len_max;
+		DBG1(DBG_LIB, "NTRU message length is larger than maximum length");
+		success = FALSE;
+	}
+	cm = ptr;
+	ptr += cm_len;
+
+	/* check if the remaining padding consists of zeros */
+	num_zeros = this->params->m_len_max - cm_len + 1;
+	for (i = 0; i < num_zeros; i++)
+	{
+		if (ptr[i] != 0)
+		{
+			DBG1(DBG_LIB, "non-zero trailing padding detected");
+			success = FALSE;
+			break;
+		}
+	}
+
+	/* form sData (OID || m || b || hTrunc) */
+	ptr = seed.ptr;
+	memcpy(ptr, this->params->oid, 3);
+	ptr += 3;
+	memcpy(ptr, cm, cm_len);
+	ptr += cm_len;
+	memcpy(ptr, M, this->params->sec_strength_len);
+	ptr += this->params->sec_strength_len;
+	memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN,
+		   this->params->sec_strength_len);
+	ptr += this->params->sec_strength_len;
+	seed.len = ptr - seed.ptr;
+
+	/* generate cr */
+	DBG2(DBG_LIB, "generate polynomial r");
+	r_poly = ntru_poly_create_from_seed(hash_algid, seed,
+						this->params->c_bits, this->params->N,
+						this->params->q, this->params->dF_r,
+						this->params->dF_r, this->params->is_product_form);
+	if (!r_poly)
+	{
+		success = FALSE;
+		goto err;
+	}
+
+	/* output plaintext in allocated chunk */
+	*plaintext = chunk_clone(chunk_create(cm, cm_len));
+
+	/* form cR' = h * cr */
+	r_poly->ring_mult(r_poly, this->pubkey, t1);
+	r_poly->destroy(r_poly);
+
+	/* compare cR' to cR */
+	for (i = 0; i < this->params->N; i++)
+	{
+		if (t[i] != t2[i])
+		{
+			DBG1(DBG_LIB, "cR' does not equal cR'");
+			chunk_clear(plaintext);
+			success = FALSE;
+			break;
+		}
+	}
+	memwipe(t, t_len);
+
+err:
+	/* cleanup */
+	chunk_clear(&seed);
+	free(t);
+
+	return success;
+}
+
+METHOD(ntru_private_key_t, destroy, void,
+	private_ntru_private_key_t *this)
+{
+	DESTROY_IF(this->privkey);
+	this->drbg->destroy(this->drbg);
+	chunk_clear(&this->encoding);
+	free(this->pubkey);
+	free(this);
+}
+
+/**
+ * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
+ * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
+ * This is a convolution operation.
+ *
+ * Ring element "b" has coefficients in the range [0,N).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
+ * beyond 16 bits does not matter.
+ *
+ * @param a		polynomial a
+ * @param b		polynomial b
+ * @param N		no. of coefficients in a, b, c
+ * @param q		large modulus
+ * @param c		polynomial c = a * b
+ */
+static void ring_mult_c(uint16_t *a, uint16_t *b, uint16_t N, uint16_t q,
+					    uint16_t *c)
+{
+	uint16_t *bptr = b;
+	uint16_t mod_q_mask = q - 1;
+	int i, k;
+
+	/* c[k] = sum(a[i] * b[k-i]) mod q */
+	memset(c, 0, N * sizeof(uint16_t));
+	for (k = 0; k < N; k++)
+	{
+		i = 0;
+		while (i <= k)
+		{
+			c[k] += a[i++] * *bptr--;
+		}
+		bptr += N;
+		while (i < N)
+		{
+			c[k] += a[i++] * *bptr--;
+		}
+		c[k] &= mod_q_mask;
+		++bptr;
+	}
+}
+
+/**
+ * Finds the inverse of a polynomial a in (Z/2^rZ)[X]/(X^N - 1).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
+ * wait until the end, and only 16-bit arrays need to be used.
+ *
+ * @param a			polynomial a
+ * @param N			no. of coefficients in a
+ * @param q			large modulus
+ * @param t			temporary buffer of size 2N elements
+ * @param a_inv 	polynomial for inverse of a
+ */
+static bool ring_inv(uint16_t *a, uint16_t N, uint16_t q, uint16_t *t,
+					 uint16_t *a_inv)
+{
+	uint8_t *b = (uint8_t *)t;
+	uint8_t *c = b + N;
+	uint8_t *f = c + N;
+	uint8_t *g = (uint8_t *)a_inv;
+	uint16_t *t2 = t + N;
+	uint16_t deg_b, deg_c, deg_f, deg_g;
+    bool done = FALSE;
+    int i, j, k = 0;
+
+	/* form a^-1 in (Z/2Z)[X]/X^N - 1) */
+	memset(b, 0, 2 * N);					/* clear to init b, c */
+
+	/* b(X) = 1 */
+	b[0] = 1;
+	deg_b = 0;
+
+	/* c(X) = 0 (cleared above) */
+	deg_c = 0;
+
+	/* f(X) = a(X) mod 2 */
+	for (i = 0; i < N; i++)
+	{
+		f[i] = (uint8_t)(a[i] & 1);
+	}
+	deg_f = N - 1;
+
+	/* g(X) = X^N - 1 */
+	g[0] = 1;
+	memset(g + 1, 0, N - 1);
+	g[N] = 1;
+	deg_g = N;
+
+	/* until f(X) = 1 */
+	while (!done)
+	{
+		/* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
+		for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
+
+		if (i > deg_f)
+		{
+			return FALSE;
+		}
+		if (i)
+		{
+			f = f + i;
+			deg_f = deg_f - i;
+			deg_c = deg_c + i;
+			for (j = deg_c; j >= i; j--)
+			{
+				c[j] = c[j-i];
+			}
+			for (j = 0; j < i; j++)
+			{
+				c[j] = 0;
+			}
+			k = k + i;
+		}
+
+		/* adjust degree of f(X) if the highest coefficients are zero
+		 * Note: f[0] = 1 from above so the loop will terminate.
+		 */
+		while (f[deg_f] == 0)
+		{
+			--deg_f;
+		}
+
+		/* if f(X) = 1, done
+		 * Note: f[0] = 1 from above, so only check the x term and up
+		 */
+		for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
+
+		if (i > deg_f)
+		{
+			done = TRUE;
+			break;
+		}
+
+		/* if deg_f < deg_g, f <-> g, b <-> c */
+		if (deg_f < deg_g)
+		{
+			uint8_t *x;
+
+			x = f;
+			f = g;
+			g = x;
+			deg_f ^= deg_g;
+			deg_g ^= deg_f;
+			deg_f ^= deg_g;
+			x = b;
+			b = c;
+			c = x;
+			deg_b ^= deg_c;
+			deg_c ^= deg_b;
+			deg_b ^= deg_c;
+		}
+
+		/* f(X) += g(X), b(X) += c(X) */
+		for (i = 0; i <= deg_g; i++)
+		{
+			f[i] ^= g[i];
+		}
+		if (deg_c > deg_b)
+		{	
+			deg_b = deg_c;
+		}
+		for (i = 0; i <= deg_c; i++)
+		{
+			b[i] ^= c[i];
+		}
+	}
+
+	/* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
+	j = 0;
+	if (k >= N)
+	{
+		k = k - N;
+	}
+	for (i = k; i < N; i++)
+	{
+		a_inv[j++] = (uint16_t)(b[i]);
+	}
+	for (i = 0; i < k; i++)
+	{
+		a_inv[j++] = (uint16_t)(b[i]);
+	}
+
+	/* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
+    for (j = 0; j < 4; ++j)				/* assumes 256 < q <= 65536 */
+	{
+		/* a^-1 = a^-1 * (2 - a * a^-1) mod q */
+		memcpy(t2, a_inv, N * sizeof(uint16_t));
+		ring_mult_c(a, t2, N, q, t);
+		for (i = 0; i < N; ++i)
+		{
+			t[i] = q - t[i];
+		}
+		t[0] = t[0] + 2;
+		ring_mult_c(t2, t, N, q, a_inv);
+	}
+	
+	return TRUE;
+}
+
+/*
+ * Described in header.
+ */
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
+											ntru_param_set_t *params)
+{
+	private_ntru_private_key_t *this;
+	size_t t_len;
+	uint16_t *t1, *t2, *t = NULL;
+	uint16_t mod_q_mask;
+    hash_algorithm_t hash_algid;
+	ntru_poly_t *g_poly;
+	chunk_t	seed;
+	int i;
+
+	INIT(this,
+		.public = {
+			.get_id = _get_id,
+			.get_public_key = _get_public_key,
+			.get_encoding = _get_encoding,
+			.decrypt = _decrypt,
+			.destroy = _destroy,
+		},
+		.params = params,
+		.pubkey = malloc(params->N * sizeof(uint16_t)),
+		.drbg = drbg->get_ref(drbg),
+	);
+
+	/* set hash algorithm and seed length based on security strength */
+	if (params->sec_strength_len <= 20)
+	{
+		hash_algid = HASH_SHA1;
+	}
+	else
+	{
+		hash_algid = HASH_SHA256;
+	}
+	seed =chunk_alloc(params->sec_strength_len + 8);
+
+	/* get random seed for generating trinary F as a list of indices */
+	if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+							  seed.len, seed.ptr))
+	{
+		goto err;
+	}
+
+	DBG2(DBG_LIB, "generate polynomial F");
+	this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+											   params->N, params->q,
+											   params->dF_r, params->dF_r,
+											   params->is_product_form);
+	if (!this->privkey)
+	{
+		goto err;
+	}
+
+	/* allocate temporary array t */
+	t_len = 3 * params->N * sizeof(uint16_t);
+	t = malloc(t_len);
+	t1 = t + 2 * params->N;
+
+	/* extend sparse private key polynomial f to N array elements */ 
+	this->privkey->get_array(this->privkey, t1);
+
+	/* set mask for large modulus */
+	mod_q_mask = params->q - 1;
+
+	/* form f = 1 + pF */
+	for (i = 0; i < params->N; i++)
+	{
+		t1[i] = (t1[i] * 3) & mod_q_mask;
+	}
+	t1[0] = (t1[0] + 1) & mod_q_mask;
+
+	/* use the public key array as a temporary buffer */
+	t2 = this->pubkey;
+ 
+	/* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
+	if (!ring_inv(t1, params->N, params->q, t, t2))
+	{
+		goto err;
+	}
+
+	/* get random seed for generating trinary g as a list of indices */
+ 	if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+							  seed.len, seed.ptr))
+	{
+		goto err;
+	}
+
+	DBG2(DBG_LIB, "generate polynomial g");
+	g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+										params->N, params->q, params->dg + 1,
+										params->dg, FALSE);
+	if (!g_poly)
+	{
+		goto err;
+	}
+
+	/* compute public key polynomial h = p * (f^-1 * g) mod q */
+	g_poly->ring_mult(g_poly, t2, t2);
+	g_poly->destroy(g_poly);
+
+	for (i = 0; i < params->N; i++)
+	{
+		this->pubkey[i] = (t2[i] * 3) & mod_q_mask;
+	}
+
+	/* cleanup temporary storage */
+	chunk_clear(&seed);
+	memwipe(t, t_len);
+	free(t);
+	
+	/* generate private key encoding */
+	generate_encoding(this);
+
+	return &this->public;
+
+err:
+	chunk_free(&seed);
+	free(t);
+	destroy(this);
+
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg,
+													  chunk_t data)
+{
+	private_ntru_private_key_t *this;
+	size_t header_len, pubkey_packed_len, privkey_packed_len;
+	size_t privkey_packed_trits_len, privkey_packed_indices_len;
+	uint8_t *privkey_packed, tag;
+	uint16_t *indices, dF;
+	ntru_param_set_t *params;
+
+	header_len = 2 + NTRU_OID_LEN;
+
+	/* check the NTRU public key header format */
+	if (data.len < header_len ||
+		!(data.ptr[0] == NTRU_PRIVKEY_DEFAULT_TAG ||
+		  data.ptr[0] == NTRU_PRIVKEY_TRITS_TAG ||
+		  data.ptr[0] == NTRU_PRIVKEY_INDICES_TAG) ||
+		data.ptr[1] != NTRU_OID_LEN)
+	{
+		DBG1(DBG_LIB, "loaded NTRU private key with invalid header");
+		return NULL;
+	}
+	tag = data.ptr[0];
+	params = ntru_param_set_get_by_oid(data.ptr + 2);
+
+	if (!params)
+	{
+		DBG1(DBG_LIB, "loaded NTRU private key with unknown OID");
+		return NULL;
+	}
+
+	pubkey_packed_len = (params->N * params->q_bits + 7) / 8;
+	privkey_packed_trits_len = (params->N + 4) / 5;
+
+	/* check packing type for product-form private keys */
+	if (params->is_product_form &&  tag == NTRU_PRIVKEY_TRITS_TAG)
+	{
+		DBG1(DBG_LIB, "a product-form NTRU private key cannot be trits-encoded");
+		return NULL;
+	}
+
+	/* set packed-key length for packed indices */
+	if (params->is_product_form)
+	{
+		dF = (uint16_t)((params->dF_r & 0xff) +           /* df1 */
+					   ((params->dF_r >>  8) & 0xff) +    /* df2 */
+					   ((params->dF_r >> 16) & 0xff));    /* df3 */
+	}
+	else
+	{
+		dF = (uint16_t)params->dF_r;
+	}
+	privkey_packed_indices_len = (2 * dF * params->N_bits + 7) / 8;
+
+	/* set private-key packing type if defaulted */
+	if (tag == NTRU_PRIVKEY_DEFAULT_TAG)
+	{
+		if (params->is_product_form ||
+            privkey_packed_indices_len <= privkey_packed_trits_len)
+		{
+			tag = NTRU_PRIVKEY_INDICES_TAG;
+		}		
+		else
+		{
+			tag = NTRU_PRIVKEY_TRITS_TAG;
+		}
+	}
+	privkey_packed_len = (tag == NTRU_PRIVKEY_TRITS_TAG) ?
+                		 privkey_packed_trits_len : privkey_packed_indices_len;
+
+	if (data.len < header_len + pubkey_packed_len + privkey_packed_len)
+	{
+		DBG1(DBG_LIB, "loaded NTRU private key with wrong packed key size");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.get_id = _get_id,
+			.get_public_key = _get_public_key,
+			.get_encoding = _get_encoding,
+			.decrypt = _decrypt,
+			.destroy = _destroy,
+		},
+		.params = params,
+		.pubkey = malloc(params->N * sizeof(uint16_t)),
+		.encoding = chunk_clone(data),
+		.drbg = drbg->get_ref(drbg),
+	);
+
+	/* unpack the encoded public key */
+	ntru_octets_2_elements(pubkey_packed_len, data.ptr + header_len,
+						   params->q_bits, this->pubkey);
+
+	/* allocate temporary memory for indices */
+	indices = malloc(2 * dF * sizeof(uint16_t));
+
+	/* unpack the private key */
+	privkey_packed = data.ptr + header_len + pubkey_packed_len;	
+	if (tag == NTRU_PRIVKEY_TRITS_TAG)
+	{
+		ntru_packed_trits_2_indices(privkey_packed, params->N,
+									indices, indices + dF);
+    }
+	else
+	{
+        ntru_octets_2_elements(privkey_packed_indices_len, privkey_packed,
+							   params->N_bits, indices);
+    }
+	this->privkey = ntru_poly_create_from_data(indices, params->N, params->q,
+											   params->dF_r, params->dF_r,
+											   params->is_product_form);
+
+	/* cleanup */
+	memwipe(indices, 2 * dF * sizeof(uint16_t));
+	free(indices);
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create);
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create_from_data);
diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.h b/src/libstrongswan/plugins/ntru/ntru_private_key.h
new file mode 100644
index 000000000..c6f08440f
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_private_key.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_private_key ntru_private_key
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PRIVATE_KEY_H_
+#define NTRU_PRIVATE_KEY_H_
+
+typedef struct ntru_private_key_t ntru_private_key_t;
+
+#include "ntru_drbg.h"
+#include "ntru_param_set.h"
+#include "ntru_public_key.h"
+
+#include <library.h>
+
+/**
+ * Implements an NTRU encryption public/private key pair
+ */
+struct ntru_private_key_t {
+
+	/**
+	 * Returns NTRU parameter set ID of the private key
+	 *
+	 * @return			NTRU parameter set ID
+	 */
+	ntru_param_set_id_t (*get_id)(ntru_private_key_t *this);
+
+	/**
+	 * Returns the NTRU encryption public key as an encoded binary blob
+	 *
+	 * @return				NTRU encryption public key (must be freed after use)
+	 */
+	ntru_public_key_t* (*get_public_key)(ntru_private_key_t *this);
+
+	/**
+	 * Returns the packed encoding of the NTRU encryption private key
+	 *
+	 * @return				Packed encoding of NTRU encryption private key
+	 */
+	chunk_t (*get_encoding)(ntru_private_key_t *this);
+
+	/**
+	 * Decrypts an NTRU ciphertext
+	 *
+	 * @param ciphertext	NTRU Ciphertext
+	 * @param plaintext		Plaintext
+	 * @return				TRUE if decryption was successful
+	 */
+	bool (*decrypt)(ntru_private_key_t *this, chunk_t ciphertext,
+					chunk_t *plaintext);
+
+	/**
+	 * Destroy ntru_private_key_t object
+	 */
+	void (*destroy)(ntru_private_key_t *this);
+};
+
+/**
+ * Creates an NTRU encryption public/private key pair using a NIST DRBG
+ *
+ * @param drbg			Digital Random Bit Generator used for key generation
+ * @param params		NTRU encryption parameter set to be used
+ */
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params);
+
+/**
+ * Creates an NTRU encryption private key from encoding
+ *
+ * @param drbg			Deterministic random bit generator
+ * @param data			Encoded NTRU private key
+ */
+ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg,
+													  chunk_t data);
+
+#endif /** NTRU_PRIVATE_KEY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.c b/src/libstrongswan/plugins/ntru/ntru_public_key.c
new file mode 100644
index 000000000..a2ff1b2b0
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_public_key.c
@@ -0,0 +1,408 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_public_key.h"
+#include "ntru_trits.h"
+#include "ntru_poly.h"
+#include "ntru_convert.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_public_key_t private_ntru_public_key_t;
+
+/**
+ * Private data of an ntru_public_key_t object.
+ */
+struct private_ntru_public_key_t {
+	/**
+	 * Public ntru_public_key_t interface.
+	 */
+	ntru_public_key_t public;
+
+	/**
+	 * NTRU Parameter Set
+	 */
+	ntru_param_set_t *params;
+
+	/**
+	 * Polynomial h which is the public key
+	 */
+	uint16_t *pubkey;
+
+	/**
+	 * Encoding of the public key
+	 */
+	chunk_t encoding;
+
+	/**
+	 * Deterministic Random Bit Generator
+	 */
+	ntru_drbg_t *drbg;
+
+};
+
+METHOD(ntru_public_key_t, get_id, ntru_param_set_id_t,
+	private_ntru_public_key_t *this)
+{
+	return this->params->id;
+}
+
+/**
+ * Generate NTRU encryption public key encoding
+ */
+static void generate_encoding(private_ntru_public_key_t *this)
+{
+	size_t pubkey_len;
+	u_char *enc;
+
+	/* compute public key length encoded as packed coefficients */
+	pubkey_len =  (this->params->N * this->params->q_bits + 7) / 8;
+
+	/* allocate memory for public key encoding */
+	this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len);
+	enc = this->encoding.ptr;
+
+	/* format header and packed public key */
+	*enc++ = NTRU_PUBKEY_TAG;
+	*enc++ = NTRU_OID_LEN;
+	memcpy(enc, this->params->oid, NTRU_OID_LEN);
+	enc += NTRU_OID_LEN;
+	ntru_elements_2_octets(this->params->N, this->pubkey,
+						   this->params->q_bits, enc);
+}
+
+METHOD(ntru_public_key_t, get_encoding, chunk_t,
+	private_ntru_public_key_t *this)
+{
+	return this->encoding;
+}
+
+#define MAX_SEC_STRENGTH_LEN	32 /* bytes */
+
+/**
+ * Shared with ntru_private_key.c
+ */
+extern bool ntru_check_min_weight(uint16_t N, uint8_t  *t, uint16_t min_wt);
+
+METHOD(ntru_public_key_t, encrypt, bool,
+	private_ntru_public_key_t *this, chunk_t plaintext, chunk_t *ciphertext)
+{
+	hash_algorithm_t hash_algid;
+	size_t t_len, seed1_len, seed2_len;
+	uint16_t *t1, *t = NULL;
+	uint8_t b[MAX_SEC_STRENGTH_LEN];
+	uint8_t *t2, *Mtrin, *M, *mask_trits, *ptr;
+	uint16_t mod_q_mask, mprime_len = 0;
+	int16_t m1 = 0;
+	chunk_t seed = chunk_empty;
+	ntru_trits_t *mask;
+	ntru_poly_t *r_poly;
+	bool msg_rep_good, success = FALSE;
+	int i;
+
+	*ciphertext = chunk_empty;
+
+	if (plaintext.len > this->params->m_len_max)
+	{
+		DBG1(DBG_LIB, "plaintext exceeds maximum size");
+		return FALSE;
+	}
+
+	if (this->params->sec_strength_len > MAX_SEC_STRENGTH_LEN)
+	{
+		DBG1(DBG_LIB, "required security strength exceeds %d bits",
+			 MAX_SEC_STRENGTH_LEN * BITS_PER_BYTE);
+		return FALSE;
+	}
+
+	/* allocate temporary array t */
+	t_len  = (sizeof(uint16_t) + 3*sizeof(uint8_t)) * this->params->N;
+	t = malloc(t_len);
+	t1 = t;
+	t2 = (uint8_t *)(t1 + this->params->N);
+	Mtrin = t2 + this->params->N;
+	M = Mtrin + this->params->N;
+
+	/* set hash algorithm based on security strength */
+	hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
+														  HASH_SHA256;
+	/* set constants */
+	mod_q_mask = this->params->q - 1;
+
+	/* allocate memory for the larger of the two seeds */
+	seed1_len = (this->params->N + 3)/4;
+	seed2_len = 3 + 2*this->params->sec_strength_len + plaintext.len;
+	seed = chunk_alloc(max(seed1_len, seed2_len));
+
+	/* loop until a message representative with proper weight is achieved */
+	do
+	{
+		if (!this->drbg->generate(this->drbg,
+								  this->params->sec_strength_len * BITS_PER_BYTE,
+								  this->params->sec_strength_len, b))
+		{
+			goto err;
+		}
+
+		/* form sData (OID || m || b || hTrunc) */
+		ptr = seed.ptr;
+		memcpy(ptr, this->params->oid, NTRU_OID_LEN);
+		ptr += NTRU_OID_LEN;
+		memcpy(ptr, plaintext.ptr, plaintext.len);
+		ptr += plaintext.len;
+		memcpy(ptr, b, this->params->sec_strength_len);
+		ptr += this->params->sec_strength_len;
+		memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN,
+			   this->params->sec_strength_len);
+		ptr += this->params->sec_strength_len;
+		seed.len = seed2_len;
+
+		DBG2(DBG_LIB, "generate polynomial r");
+		r_poly = ntru_poly_create_from_seed(hash_algid, seed, this->params->c_bits,
+											this->params->N, this->params->q,
+											this->params->dF_r, this->params->dF_r,
+											this->params->is_product_form);
+		if (!r_poly)
+		{
+		   goto err;
+		}
+
+		/* form R = h * r */
+		r_poly->ring_mult(r_poly, this->pubkey, t1);
+		r_poly->destroy(r_poly);
+
+		/* form R mod 4 */
+		ntru_coeffs_mod4_2_octets(this->params->N, t1, seed.ptr);
+		seed.len = seed1_len;
+
+		/* form mask */
+		mask = ntru_trits_create(this->params->N, hash_algid, seed);
+		if (!mask)
+		{
+			DBG1(DBG_LIB, "mask creation failed");
+			goto err;
+		}
+
+		/* form the padded message M */
+		ptr = M;
+		memcpy(ptr, b, this->params->sec_strength_len);
+		ptr += this->params->sec_strength_len;
+		if (this->params->m_len_len == 2)
+		{
+			*ptr++ = (uint8_t)((plaintext.len >> 8) & 0xff);
+		}
+		*ptr++ = (uint8_t)(plaintext.len & 0xff);
+		memcpy(ptr, plaintext.ptr, plaintext.len);
+		ptr += plaintext.len;
+
+		/* add an extra zero byte in case without it the bit string
+		 * is not a multiple of 3 bits and therefore might not be
+		 * able to produce enough trits
+		 */
+		memset(ptr, 0, this->params->m_len_max - plaintext.len + 2);
+
+		/* convert M to trits (Mbin to Mtrin) */
+		mprime_len = this->params->N;
+		if (this->params->is_product_form)
+		{
+			--mprime_len;
+		}
+		ntru_bits_2_trits(M, mprime_len, Mtrin);
+		mask_trits = mask->get_trits(mask);
+
+
+		/* form the msg representative m' by adding Mtrin to mask, mod p */
+		if (this->params->is_product_form)
+		{
+			m1 = 0;
+			for (i = 0; i < mprime_len; i++)
+			{
+				t2[i] = mask_trits[i] + Mtrin[i];
+				if (t2[i] >= 3)
+				{
+					t2[i] -= 3;
+				}
+				if (t2[i] == 1)
+				{
+					++m1;
+				}
+				else if (t2[i] == 2)
+				{
+					--m1;
+				}
+			}
+		}
+		else
+		{
+			for (i = 0; i < mprime_len; i++)
+			{
+				t2[i] = mask_trits[i] + Mtrin[i];
+				if (t2[i] >= 3)
+				{
+					t2[i] -= 3;
+				}
+			}
+		}
+		mask->destroy(mask);
+
+		/* check that message representative meets minimum weight
+		 * requirements
+		 */
+		if (this->params->is_product_form)
+		{
+			msg_rep_good = (abs(m1) <= this->params->min_msg_rep_wt);
+		}
+		else
+		{
+			msg_rep_good = ntru_check_min_weight(mprime_len, t2,
+												 this->params->min_msg_rep_wt);
+		}
+	}
+	while (!msg_rep_good);
+
+	/* form ciphertext e by adding m' to R mod q */
+	for (i = 0; i < mprime_len; i++)
+	{
+		if (t2[i] == 1)
+		{
+			t1[i] = (t1[i] + 1) & mod_q_mask;
+		}
+		else if (t2[i] == 2)
+		{
+			t1[i] = (t1[i] - 1) & mod_q_mask;
+		}
+	}
+	if (this->params->is_product_form)
+	{
+		t1[i] = (t1[i] - m1) & mod_q_mask;
+	}
+
+	/* pack ciphertext */
+	*ciphertext = chunk_alloc((this->params->N * this->params->q_bits + 7) / 8);
+	ntru_elements_2_octets(this->params->N, t1, this->params->q_bits,
+						   ciphertext->ptr);
+
+	memwipe(t, t_len);
+	success = TRUE;
+
+err:
+	/* cleanup */
+	chunk_clear(&seed);
+	free(t);
+
+	return success;
+}
+METHOD(ntru_public_key_t, destroy, void,
+	private_ntru_public_key_t *this)
+{
+	this->drbg->destroy(this->drbg);
+	chunk_clear(&this->encoding);
+	free(this->pubkey);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg,
+										  ntru_param_set_t *params,
+										  uint16_t *pubkey)
+{
+	private_ntru_public_key_t *this;
+	int i;
+
+	INIT(this,
+		.public = {
+			.get_id = _get_id,
+			.get_encoding = _get_encoding,
+			.encrypt = _encrypt,
+			.destroy = _destroy,
+		},
+		.params = params,
+		.pubkey = malloc(params->N * sizeof(uint16_t)),
+		.drbg = drbg->get_ref(drbg),
+	);
+
+	for (i = 0; i < params->N; i++)
+	{
+		this->pubkey[i] = pubkey[i];
+	}
+
+	/* generate public key encoding */
+	generate_encoding(this);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg,
+													chunk_t data)
+{
+	private_ntru_public_key_t *this;
+	size_t header_len, pubkey_packed_len;
+	ntru_param_set_t *params;
+
+	header_len = 2 + NTRU_OID_LEN;
+
+	/* check the NTRU public key header format */
+	if (data.len < header_len ||
+		data.ptr[0] != NTRU_PUBKEY_TAG ||
+		data.ptr[1] != NTRU_OID_LEN)
+	{
+		DBG1(DBG_LIB, "received NTRU public key with invalid header");
+		return NULL;
+	}
+	params =  ntru_param_set_get_by_oid(data.ptr + 2);
+
+	if (!params)
+	{
+		DBG1(DBG_LIB, "received NTRU public key with unknown OID");
+		return NULL;
+	}
+
+	pubkey_packed_len = (params->N * params->q_bits + 7) / 8;
+
+	if (data.len < header_len + pubkey_packed_len)
+	{
+		DBG1(DBG_LIB, "received NTRU public key with wrong packed key size");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.get_id = _get_id,
+			.get_encoding = _get_encoding,
+			.encrypt = _encrypt,
+			.destroy = _destroy,
+		},
+		.params = params,
+		.pubkey = malloc(params->N * sizeof(uint16_t)),
+		.encoding = chunk_clone(data),
+		.drbg = drbg->get_ref(drbg),
+	);
+
+	/* unpack the encoded public key */
+	ntru_octets_2_elements(pubkey_packed_len, data.ptr + header_len,
+						   params->q_bits, this->pubkey);
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_public_key_create_from_data);
diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.h b/src/libstrongswan/plugins/ntru/ntru_public_key.h
new file mode 100644
index 000000000..baa8eabcd
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_public_key.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_public_key ntru_public_key
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PUBLIC_KEY_H_
+#define NTRU_PUBLIC_KEY_H_
+
+typedef struct ntru_public_key_t ntru_public_key_t;
+
+#include "ntru_param_set.h"
+#include "ntru_drbg.h"
+
+#include <library.h>
+
+/**
+ * Implements an NTRU encryption public key
+ */
+struct ntru_public_key_t {
+
+	/**
+	 * Returns NTRU parameter set ID of the public key
+	 *
+	 * @return			NTRU parameter set ID
+	 */
+	ntru_param_set_id_t (*get_id)(ntru_public_key_t *this);
+
+	/**
+	 * Returns the packed encoding of the NTRU encryption public key
+	 *
+	 * @return			Packed encoding of NTRU encryption public key
+	 */
+	chunk_t (*get_encoding)(ntru_public_key_t *this);
+
+	/**
+	 * Encrypts a plaintext with the NTRU public key
+	 *
+	 * @param ciphertext	Plaintext
+	 * @param plaintext		Ciphertext
+	 * @return				TRUE if encryption was successful
+	 */
+	bool (*encrypt)(ntru_public_key_t *this, chunk_t plaintext,
+					chunk_t *ciphertext);
+
+	/**
+	 * Destroy ntru_public_key_t object
+	 */
+	void (*destroy)(ntru_public_key_t *this);
+};
+
+/**
+ * Creates an NTRU encryption public key from coefficients
+ *
+ * @param drbg			Deterministic random bit generator
+ * @param params		NTRU encryption parameter set to be used
+ * @param pubkey		Coefficients of public key polynomial h
+ */
+ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg,
+										  ntru_param_set_t *params,
+										  uint16_t *pubkey);
+
+/**
+ * Creates an NTRU encryption public key from encoding
+ *
+ * @param drbg			Deterministic random bit generator
+ * @param data			Encoded NTRU public key
+ */
+ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg,
+													chunk_t data);
+
+
+#endif /** NTRU_PUBLIC_KEY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c
index f82501629..1abb7671c 100644
--- a/src/libstrongswan/plugins/ntru/ntru_trits.c
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.c
@@ -15,8 +15,7 @@
 
 #include "ntru_trits.h"
 #include "ntru_mgf1.h"
-
-#include "ntru_crypto/ntru_crypto_ntru_convert.h"
+#include "ntru_convert.h"
 
 #include <utils/debug.h>
 #include <utils/test.h>
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index f0735294b..5d8ada2fa 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -379,7 +379,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c
index 842111bd3..147e4afb4 100644
--- a/src/libstrongswan/plugins/openssl/openssl_gcm.c
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c
@@ -202,7 +202,8 @@ METHOD(aead_t, destroy, void,
 /*
  * Described in header
  */
-aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
+aead_t *openssl_gcm_create(encryption_algorithm_t algo,
+						   size_t key_size, size_t salt_size)
 {
 	private_aead_t *this;
 
@@ -236,6 +237,13 @@ aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
 			return NULL;
 	}
 
+	if (salt_size && salt_size != SALT_LEN)
+	{
+		/* currently not supported */
+		free(this);
+		return NULL;
+	}
+
 	switch (algo)
 	{
 		case ENCR_AES_GCM_ICV8:
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.h b/src/libstrongswan/plugins/openssl/openssl_gcm.h
index 12d2e8ab6..4ae268bd6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_gcm.h
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.h
@@ -30,8 +30,10 @@
  *
  * @param algo			algorithm to implement
  * @param key_size		key size in bytes
+ * @param salt_size		size of implicit salt length
  * @return				aead_t object, NULL if not supported
  */
-aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size);
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size,
+							size_t salt_size);
 
 #endif /** OPENSSL_GCM_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index f0c172629..9748e28f2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -222,7 +222,21 @@ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp)
 			i2d_RSA_PUBKEY(rsa, &p);
 			break;
 		default:
-			return FALSE;
+		{
+			chunk_t n = chunk_empty, e = chunk_empty;
+			bool success = FALSE;
+
+			if (openssl_bn2chunk(rsa->n, &n) &&
+				openssl_bn2chunk(rsa->e, &e))
+			{
+				success = lib->encoding->encode(lib->encoding, type, rsa, fp,
+									CRED_PART_RSA_MODULUS, n,
+									CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
+			}
+			chunk_free(&n);
+			chunk_free(&e);
+			return success;
+		}
 	}
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher || !hasher->allocate_hash(hasher, key, fp))
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 55c0271ce..0450ab053 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 22c33b0c8..300615eb7 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index 9c8237e4d..df4b77cc3 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -106,6 +106,12 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 				label = "CERTIFICATE REQUEST";
 				break;
 			}
+			if (cred_encoding_args(args, CRED_PART_X509_AC_ASN1_DER,
+								   &asn1, CRED_PART_END))
+			{
+				label = "ATTRIBUTE CERTIFICATE";
+				break;
+			}
 		default:
 			return FALSE;
 	}
@@ -154,4 +160,3 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 	encoding->len = pos - encoding->ptr;
 	return TRUE;
 }
-
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index e2491f5a4..ca8743bc0 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index d3f3fdf49..c563806ee 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index b304a5101..eb0903d47 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -46,6 +46,9 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
 		PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
+				PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
+				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
 		PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
 	};
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index c8cec3771..5d2f39c9e 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index 67b1f4f57..f398652d5 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index feff6e5b0..7d1c65538 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 35a5c9a35..fca8fd1f9 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 8a1958be5..65cdbe9d9 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -73,25 +73,55 @@ u_int32_t plugin_feature_hash(plugin_feature_t *feature)
 			data = chunk_empty;
 			break;
 		case FEATURE_CRYPTER:
+			data = chunk_from_thing(feature->arg.crypter);
+			break;
 		case FEATURE_AEAD:
+			data = chunk_from_thing(feature->arg.aead);
+			break;
 		case FEATURE_SIGNER:
+			data = chunk_from_thing(feature->arg.signer);
+			break;
 		case FEATURE_HASHER:
+			data = chunk_from_thing(feature->arg.hasher);
+			break;
 		case FEATURE_PRF:
+			data = chunk_from_thing(feature->arg.prf);
+			break;
 		case FEATURE_DH:
+			data = chunk_from_thing(feature->arg.dh_group);
+			break;
 		case FEATURE_PRIVKEY:
+			data = chunk_from_thing(feature->arg.privkey);
+			break;
 		case FEATURE_PRIVKEY_GEN:
+			data = chunk_from_thing(feature->arg.privkey_gen);
+			break;
 		case FEATURE_PUBKEY:
+			data = chunk_from_thing(feature->arg.pubkey);
+			break;
 		case FEATURE_PRIVKEY_SIGN:
+			data = chunk_from_thing(feature->arg.privkey_sign);
+			break;
 		case FEATURE_PUBKEY_VERIFY:
+			data = chunk_from_thing(feature->arg.pubkey_verify);
+			break;
 		case FEATURE_PRIVKEY_DECRYPT:
+			data = chunk_from_thing(feature->arg.privkey_decrypt);
+			break;
 		case FEATURE_PUBKEY_ENCRYPT:
+			data = chunk_from_thing(feature->arg.pubkey_encrypt);
+			break;
 		case FEATURE_CERT_DECODE:
 		case FEATURE_CERT_ENCODE:
+			data = chunk_from_thing(feature->arg.cert);
+			break;
 		case FEATURE_CONTAINER_DECODE:
 		case FEATURE_CONTAINER_ENCODE:
+			data = chunk_from_thing(feature->arg.container);
+			break;
 		case FEATURE_EAP_SERVER:
 		case FEATURE_EAP_PEER:
-			data = chunk_from_thing(feature->arg);
+			data = chunk_from_thing(feature->arg.eap);
 			break;
 		case FEATURE_CUSTOM:
 			data = chunk_create(feature->arg.custom,
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 08a8442ea..487fafa01 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -1047,6 +1047,7 @@ static char *modular_pluginlist(char *list)
 
 	array_sort(final, (void*)plugin_priority_cmp, NULL);
 
+	plugins = strdup("");
 	enumerator = array_create_enumerator(final);
 	while (enumerator->enumerate(enumerator, &current))
 	{
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 803eeab44..6f00e7eb1 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 0efe24cb7..59f062dd2 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index afcbc07eb..b820d1211 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 88b283e87..db926c545 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 745ee83e7..cfdd7e8b6 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index c8ec3f723..9fd5b2a22 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -93,40 +93,92 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 /**
  * check the signature of an OCSP response
  */
-static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
+static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
 {
 	certificate_t *issuer, *subject;
 	identification_t *responder;
 	ocsp_response_wrapper_t *wrapper;
 	enumerator_t *enumerator;
-	auth_cfg_t *current;
-	bool verified = FALSE;
+	x509_t *x509;
+	bool verified = FALSE, found = FALSE;
 
 	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
 	lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
 
 	subject = &response->certificate;
 	responder = subject->get_issuer(subject);
-	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+
+	/* check OCSP response using CA or directly delegated OCSP signer */
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509,
 													KEY_ANY, responder, FALSE);
-	while (enumerator->enumerate(enumerator, &issuer, &current))
+	while (enumerator->enumerate(enumerator, &issuer))
 	{
+		x509 = (x509_t*)issuer;
+		if (!issuer->get_validity(issuer, NULL, NULL, NULL))
+		{	/* OCSP signer currently invalid */
+			continue;
+		}
+		if (!ca->equals(ca, issuer))
+		{	/* delegated OCSP signer? */
+			if (!lib->credmgr->issued_by(lib->credmgr, issuer, ca, NULL))
+			{	/* OCSP response not signed by CA, nor delegated OCSP signer */
+				continue;
+			}
+			if (!(x509->get_flags(x509) & X509_OCSP_SIGNER))
+			{	/* delegated OCSP signer does not have OCSP signer flag */
+				continue;
+			}
+		}
+		found = TRUE;
 		if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
 		{
 			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
-							 issuer->get_subject(issuer));
-			if (auth)
-			{
-				auth->merge(auth, current, FALSE);
-			}
+				 issuer->get_subject(issuer));
 			verified = TRUE;
 			break;
 		}
+		DBG1(DBG_CFG, "ocsp response verification failed, "
+			 "invalid signature");
 	}
 	enumerator->destroy(enumerator);
 
+	if (!verified)
+	{
+		/* as fallback, use any locally installed OCSP signer certificate */
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+										CERT_X509, KEY_ANY, responder, TRUE);
+		while (enumerator->enumerate(enumerator, &issuer))
+		{
+			x509 = (x509_t*)issuer;
+			/* while issued_by() accepts both OCSP signer or CA basic
+			 * constraint flags to verify OCSP responses, unrelated but trusted
+			 * OCSP signers must explicitly have the OCSP signer flag set. */
+			if ((x509->get_flags(x509) & X509_OCSP_SIGNER) &&
+				issuer->get_validity(issuer, NULL, NULL, NULL))
+			{
+				found = TRUE;
+				if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
+				{
+					DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
+						 issuer->get_subject(issuer));
+					verified = TRUE;
+					break;
+				}
+				DBG1(DBG_CFG, "ocsp response verification failed, "
+					 "invalid signature");
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
 	lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
 	wrapper->destroy(wrapper);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "ocsp response verification failed, "
+			 "no signer certificate '%Y' found", responder);
+	}
 	return verified;
 }
 
@@ -134,8 +186,8 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
  * Get the better of two OCSP responses, and check for usable OCSP info
  */
 static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
-					x509_t *subject, x509_t *issuer, cert_validation_t *valid,
-					auth_cfg_t *auth, bool cache)
+									  x509_t *subject, x509_t *issuer,
+									  cert_validation_t *valid, bool cache)
 {
 	ocsp_response_t *response;
 	time_t revocation, this_update, next_update, valid_until;
@@ -145,9 +197,8 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
 	response = (ocsp_response_t*)cand;
 
 	/* check ocsp signature */
-	if (!verify_ocsp(response, auth))
+	if (!verify_ocsp(response, &issuer->interface))
 	{
-		DBG1(DBG_CFG, "ocsp response verification failed");
 		cand->destroy(cand);
 		return best;
 	}
@@ -226,8 +277,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 	while (enumerator->enumerate(enumerator, &current))
 	{
 		current->get_ref(current);
-		best = get_better_ocsp(current, best, subject, issuer,
-							   &valid, auth, FALSE);
+		best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE);
 		if (best && valid != VALIDATION_STALE)
 		{
 			DBG1(DBG_CFG, "  using cached ocsp response");
@@ -254,7 +304,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 			if (current)
 			{
 				best = get_better_ocsp(current, best, subject, issuer,
-									   &valid, auth, TRUE);
+									   &valid, TRUE);
 				if (best && valid != VALIDATION_STALE)
 				{
 					break;
@@ -276,7 +326,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 			if (current)
 			{
 				best = get_better_ocsp(current, best, subject, issuer,
-									   &valid, auth, TRUE);
+									   &valid, TRUE);
 				if (best && valid != VALIDATION_STALE)
 				{
 					break;
@@ -330,25 +380,20 @@ static certificate_t* fetch_crl(char *url)
 /**
  * check the signature of an CRL
  */
-static bool verify_crl(certificate_t *crl, auth_cfg_t *auth)
+static bool verify_crl(certificate_t *crl)
 {
 	certificate_t *issuer;
 	enumerator_t *enumerator;
 	bool verified = FALSE;
-	auth_cfg_t *current;
 
 	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
 										KEY_ANY, crl->get_issuer(crl), FALSE);
-	while (enumerator->enumerate(enumerator, &issuer, &current))
+	while (enumerator->enumerate(enumerator, &issuer, NULL))
 	{
 		if (lib->credmgr->issued_by(lib->credmgr, crl, issuer, NULL))
 		{
 			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
 						   issuer->get_subject(issuer));
-			if (auth)
-			{
-				auth->merge(auth, current, FALSE);
-			}
 			verified = TRUE;
 			break;
 		}
@@ -362,7 +407,7 @@ static bool verify_crl(certificate_t *crl, auth_cfg_t *auth)
  * Get the better of two CRLs, and check for usable CRL info
  */
 static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
-					x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth,
+					x509_t *subject, cert_validation_t *valid,
 					bool cache, crl_t *base)
 {
 	enumerator_t *enumerator;
@@ -390,7 +435,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 	}
 
 	/* check CRL signature */
-	if (!verify_crl(cand, auth))
+	if (!verify_crl(cand))
 	{
 		DBG1(DBG_CFG, "crl response verification failed");
 		cand->destroy(cand);
@@ -452,8 +497,8 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
  * Find or fetch a certificate for a given crlIssuer
  */
 static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
-								  auth_cfg_t *auth, crl_t *base,
-								  certificate_t **best, bool *uri_found)
+								  crl_t *base, certificate_t **best,
+								  bool *uri_found)
 {
 	cert_validation_t valid = VALIDATION_SKIPPED;
 	enumerator_t *enumerator;
@@ -466,8 +511,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
 	while (enumerator->enumerate(enumerator, &current))
 	{
 		current->get_ref(current);
-		*best = get_better_crl(current, *best, subject, &valid,
-							   auth, FALSE, base);
+		*best = get_better_crl(current, *best, subject, &valid, FALSE, base);
 		if (*best && valid != VALIDATION_STALE)
 		{
 			DBG1(DBG_CFG, "  using cached crl");
@@ -495,7 +539,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
 					continue;
 				}
 				*best = get_better_crl(current, *best, subject,
-									   &valid, auth, TRUE, base);
+									   &valid, TRUE, base);
 				if (*best && valid != VALIDATION_STALE)
 				{
 					break;
@@ -511,7 +555,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
  * Look for a delta CRL for a given base CRL
  */
 static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
-					crl_t *base, cert_validation_t base_valid, auth_cfg_t *auth)
+									crl_t *base, cert_validation_t base_valid)
 {
 	cert_validation_t valid = VALIDATION_SKIPPED;
 	certificate_t *best = NULL, *current;
@@ -526,7 +570,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
 	if (chunk.len)
 	{
 		id = identification_create_from_encoding(ID_KEY_ID, chunk);
-		valid = find_crl(subject, id, auth, base, &best, &uri);
+		valid = find_crl(subject, id, base, &best, &uri);
 		id->destroy(id);
 	}
 
@@ -537,7 +581,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
 	{
 		if (cdp->issuer)
 		{
-			valid = find_crl(subject, cdp->issuer, auth, base, &best, &uri);
+			valid = find_crl(subject, cdp->issuer, base, &best, &uri);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -558,8 +602,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
 				current->destroy(current);
 				continue;
 			}
-			best = get_better_crl(current, best, subject, &valid,
-								  auth, TRUE, base);
+			best = get_better_crl(current, best, subject, &valid, TRUE, base);
 			if (best && valid != VALIDATION_STALE)
 			{
 				break;
@@ -576,7 +619,6 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
 	return base_valid;
 }
 
-
 /**
  * validate a x509 certificate using CRL
  */
@@ -597,7 +639,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 	if (chunk.len)
 	{
 		id = identification_create_from_encoding(ID_KEY_ID, chunk);
-		valid = find_crl(subject, id, auth, NULL, &best, &uri_found);
+		valid = find_crl(subject, id, NULL, &best, &uri_found);
 		id->destroy(id);
 	}
 
@@ -608,8 +650,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 	{
 		if (cdp->issuer)
 		{
-			valid = find_crl(subject, cdp->issuer, auth, NULL,
-							 &best, &uri_found);
+			valid = find_crl(subject, cdp->issuer, NULL, &best, &uri_found);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -633,7 +674,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 					continue;
 				}
 				best = get_better_crl(current, best, subject, &valid,
-									  auth, TRUE, NULL);
+									  TRUE, NULL);
 				if (best && valid != VALIDATION_STALE)
 				{
 					break;
@@ -646,7 +687,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 	/* look for delta CRLs */
 	if (best && (valid == VALIDATION_GOOD || valid == VALIDATION_STALE))
 	{
-		valid = check_delta_crl(subject, issuer, (crl_t*)best, valid, auth);
+		valid = check_delta_crl(subject, issuer, (crl_t*)best, valid);
 	}
 
 	/* an uri was found, but no result. switch validation state to failed */
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index e57eb78ab..4f9d24a7e 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index c044178b9..ddc287522 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index cc16ef5cb..2ba05f71e 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index c428b883f..2cbacddf1 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index 3c9926acc..6bd82503d 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index a1439f6ea..7443f531c 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -387,7 +387,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index 788baae57..33c13d9f4 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -88,11 +88,18 @@ TEST_VECTOR_AEAD(aes_ccm10)
 TEST_VECTOR_AEAD(aes_ccm11)
 TEST_VECTOR_AEAD(aes_gcm1)
 TEST_VECTOR_AEAD(aes_gcm2)
-TEST_VECTOR_AEAD(aes_gcm3)
+TEST_VECTOR_AEAD(aes_gcm3_1)
+TEST_VECTOR_AEAD(aes_gcm3_2)
+TEST_VECTOR_AEAD(aes_gcm3_3)
 TEST_VECTOR_AEAD(aes_gcm4)
-TEST_VECTOR_AEAD(aes_gcm5)
-TEST_VECTOR_AEAD(aes_gcm6)
 TEST_VECTOR_AEAD(aes_gcm7)
+TEST_VECTOR_AEAD(aes_gcm8)
+TEST_VECTOR_AEAD(aes_gcm9)
+TEST_VECTOR_AEAD(aes_gcm10)
+TEST_VECTOR_AEAD(aes_gcm13)
+TEST_VECTOR_AEAD(aes_gcm14)
+TEST_VECTOR_AEAD(aes_gcm15)
+TEST_VECTOR_AEAD(aes_gcm16)
 
 TEST_VECTOR_SIGNER(aes_xcbc_s1)
 TEST_VECTOR_SIGNER(aes_xcbc_s2)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
index 8de180ad5..95c41ecbc 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
@@ -21,7 +21,8 @@
  * originally from "fips cavs fax files on hand at Red Hat".
  */
 aead_test_vector_t aes_ccm1 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 0,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .salt_size = 3,
+	.len = 32, .alen = 0,
 	.key	= "\x83\xac\x54\x66\xc2\xeb\xe5\x05\x2e\x01\xd1\xfc\x5d\x82\x66\x2e"
 			  "\x96\xac\x59",
 	.iv		= "\x30\x07\xa1\xe2\xa2\xc7\x55\x24",
@@ -33,7 +34,8 @@ aead_test_vector_t aes_ccm1 = {
 };
 
 aead_test_vector_t aes_ccm2 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\x1e\x2c\x7e\x01\x41\x9a\xef\xc0\x0d\x58\x96\x6e\x5c\xa2\x4b\xd3"
 			  "\x4f\xa3\x19",
 	.iv		= "\xd3\x01\x5a\xd8\x30\x60\x15\x56",
@@ -47,7 +49,8 @@ aead_test_vector_t aes_ccm2 = {
 };
 
 aead_test_vector_t aes_ccm3 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 0, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .salt_size = 3,
+	.len = 0, .alen = 32,
 	.key	= "\xf4\x6b\xc2\x75\x62\xfe\xb4\xe1\xa3\xf0\xff\xdd\x4e\x4b\x12\x75"
 			  "\x53\x14\x73\x66\x8d\x88\xf6\x80\xa0\x20\x35",
 	.iv		= "\x26\xf2\x21\x8d\x50\x20\xda\xe2",
@@ -57,7 +60,8 @@ aead_test_vector_t aes_ccm3 = {
 };
 
 aead_test_vector_t aes_ccm4 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\x56\xdf\x5c\x8f\x26\x3f\x0e\x42\xef\x7a\xd3\xce\xfc\x84\x60\x62"
 			  "\xca\xb4\x40\xaf\x5f\xc9\xc9\x01\xd6\x3c\x8c",
 	.iv		= "\x86\x84\xb6\xcd\xef\x09\x2e\x94",
@@ -71,7 +75,8 @@ aead_test_vector_t aes_ccm4 = {
 };
 
 aead_test_vector_t aes_ccm5 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\xe0\x8d\x99\x71\x60\xd7\x97\x1a\xbd\x01\x99\xd5\x8a\xdf\x71\x3a"
 			  "\xd3\xdf\x24\x4b\x5e\x3d\x4b\x4e\x30\x7a\xb9\xd8\x53\x0a\x5e\x2b"
 			  "\x1e\x29\x91",
@@ -86,7 +91,8 @@ aead_test_vector_t aes_ccm5 = {
 };
 
 aead_test_vector_t aes_ccm6 = {
-	.alg = ENCR_AES_CCM_ICV12, .key_size = 32, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV12, .key_size = 32, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32"
 			  "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39"
 			  "\xf9\xd9\x4e",
@@ -101,7 +107,8 @@ aead_test_vector_t aes_ccm6 = {
 };
 
 aead_test_vector_t aes_ccm7 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 32, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 32, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\xab\xd0\xe9\x33\x07\x26\xe5\x83\x8c\x76\x95\xd4\xb6\xdc\xf3\x46"
 			  "\xf9\x8f\xad\xe3\x02\x13\x83\x77\x3f\xb0\xf1\xa1\xa1\x22\x0f\x2b"
 			  "\x24\xa7\x8b",
@@ -116,7 +123,8 @@ aead_test_vector_t aes_ccm7 = {
 };
 
 aead_test_vector_t aes_ccm8 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 16, .len = 0, .alen = 0,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 16, .salt_size = 3,
+	.len = 0, .alen = 0,
 	.key	= "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1\xff\x80\x2e\x48\x7d\x82\xf8\xb9"
 			  "\xaf\x94\x87",
 	.iv		= "\x78\x35\x82\x81\x7f\x88\x94\x68",
@@ -124,7 +132,8 @@ aead_test_vector_t aes_ccm8 = {
 };
 
 aead_test_vector_t aes_ccm9 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 0, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3,
+	.len = 0, .alen = 32,
 	.key	= "\x39\xbb\xa7\xbe\x59\x97\x9e\x73\xa2\xbc\x6b\x98\xd7\x75\x7f\xe3"
 			  "\xa4\x48\x93\x39\x26\x71\x4a\xc6\xee\x49\x83",
 	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
@@ -134,7 +143,8 @@ aead_test_vector_t aes_ccm9 = {
 };
 
 aead_test_vector_t aes_ccm10 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 0, .alen = 0,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .salt_size = 3,
+	.len = 0, .alen = 0,
 	.key	= "\xa4\x4b\x54\x29\x0a\xb8\x6d\x01\x5b\x80\x2a\xcf\x25\xc4\xb7\x5c"
 			  "\x20\x2c\xad\x30\xc2\x2b\x41\xfb\x0e\x85\xbc\x33\xad\x0f\x2b\xff"
 			  "\xee\x49\x83",
@@ -143,7 +153,8 @@ aead_test_vector_t aes_ccm10 = {
 };
 
 aead_test_vector_t aes_ccm11 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0"
 			  "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83",
 	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
index 7534633e1..1f33bcbd5 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
@@ -16,11 +16,37 @@
 #include <crypto/crypto_tester.h>
 
 /**
- * From the Linux kernel, those with an IV. Originally from
- * McGrew & Viega - http://citeseer.ist.psu.edu/656989.html
+ * From McGrew & Viega
+ * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ * Formatted to match our API which expects the first four bytes (salt) of the
+ * IV as part of the key and writes/expects the ICV at the end of the cipher
+ * text.
+ * Since our implementations are currently limited to IV lengths of 12 (IV=8,
+ * SALT=4 as per RFC 4106/5282) the test cases 5/6, 11/12 and 17/18 aren't
+ * compatible.
  */
 aead_test_vector_t aes_gcm1 = {
-	.alg = ENCR_AES_GCM_ICV8, .key_size = 16, .len = 64, .alen = 0,
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+	.len = 0, .alen = 0,
+	.key	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "",
+	.cipher	= "\x58\xe2\xfc\xce\xfa\x7e\x30\x61\x36\x7f\x1d\x57\xa4\xe7\x45\x5a",
+};
+aead_test_vector_t aes_gcm2 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+	.len = 16, .alen = 0,
+	.key	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x03\x88\xda\xce\x60\xb6\xa3\x92\xf3\x28\xc2\xb9\x71\xb2\xfe\x78"
+			  "\xab\x6e\x47\xd4\x2c\xec\x13\xbd\xf5\x3a\x67\xb2\x12\x57\xbd\xdf",
+};
+aead_test_vector_t aes_gcm3_1 = {
+	.alg = ENCR_AES_GCM_ICV8, .key_size = 16, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -34,9 +60,9 @@ aead_test_vector_t aes_gcm1 = {
 			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
 			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6",
 };
-
-aead_test_vector_t aes_gcm2 = {
-	.alg = ENCR_AES_GCM_ICV12, .key_size = 16, .len = 64, .alen = 0,
+aead_test_vector_t aes_gcm3_2 = {
+	.alg = ENCR_AES_GCM_ICV12, .key_size = 16, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -50,9 +76,9 @@ aead_test_vector_t aes_gcm2 = {
 			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
 			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd",
 };
-
-aead_test_vector_t aes_gcm3 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 64, .alen = 0,
+aead_test_vector_t aes_gcm3_3 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -66,9 +92,9 @@ aead_test_vector_t aes_gcm3 = {
 			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
 			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4",
 };
-
 aead_test_vector_t aes_gcm4 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 60, .alen = 20,
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+	.len = 60, .alen = 20,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -84,9 +110,28 @@ aead_test_vector_t aes_gcm4 = {
 			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x5b\xc9\x4f\xbc"
 			  "\x32\x21\xa5\xdb\x94\xfa\xe9\x5a\xe7\x12\x1a\x47",
 };
-
-aead_test_vector_t aes_gcm5 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .len = 64, .alen = 0,
+aead_test_vector_t aes_gcm7 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+	.len = 0, .alen = 0,
+	.key	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "",
+	.cipher	= "\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b\xa0\x0e\xd1\xf3\x12\x57\x24\x35",
+};
+aead_test_vector_t aes_gcm8 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+	.len = 16, .alen = 0,
+	.key	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x98\xe7\x24\x7c\x07\xf0\xfe\x41\x1c\x26\x7e\x43\x84\xb0\xf6\x00"
+			  "\x2f\xf5\x8d\x80\x03\x39\x27\xab\x8e\xf4\xd4\x58\x75\x14\xf0\xfb",
+};
+aead_test_vector_t aes_gcm9 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -100,9 +145,48 @@ aead_test_vector_t aes_gcm5 = {
 			  "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\xac\xad\xe2\x56"
 			  "\x99\x24\xa7\xc8\x58\x73\x36\xbf\xb1\x18\x02\x4d\xb8\x67\x4a\x14",
 };
-
-aead_test_vector_t aes_gcm6 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 64, .alen = 0,
+aead_test_vector_t aes_gcm10 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+	.len = 60, .alen = 20,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39",
+	.adata	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef"
+			  "\xab\xad\xda\xd2",
+	.cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
+			  "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
+			  "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
+			  "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\x25\x19\x49\x8e"
+			  "\x80\xf1\x47\x8f\x37\xba\x55\xbd\x6d\x27\x61\x8c",
+};
+aead_test_vector_t aes_gcm13 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+	.len = 0, .alen = 0,
+	.key	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "",
+	.cipher	= "\x53\x0f\x8a\xfb\xc7\x45\x36\xb9\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b",
+};
+aead_test_vector_t aes_gcm14 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+	.len = 16, .alen = 0,
+	.key	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\xce\xa7\x40\x3d\x4d\x60\x6b\x6e\x07\x4e\xc5\xd3\xba\xf3\x9d\x18"
+			  "\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0\x26\x5b\x98\xb5\xd4\x8a\xb9\x19",
+};
+aead_test_vector_t aes_gcm15 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
@@ -117,9 +201,9 @@ aead_test_vector_t aes_gcm6 = {
 			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x89\x80\x15\xad"
 			  "\xb0\x94\xda\xc5\xd9\x34\x71\xbd\xec\x1a\x50\x22\x70\xe3\xcc\x6c",
 };
-
-aead_test_vector_t aes_gcm7 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 60, .alen = 20,
+aead_test_vector_t aes_gcm16 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+	.len = 60, .alen = 20,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
@@ -136,4 +220,3 @@ aead_test_vector_t aes_gcm7 = {
 			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce"
 			  "\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b",
 };
-
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index 961311eb0..c3c6ed6a7 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 74552e00b..154fc5ccd 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 7d83e48ea..30b871d42 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -29,7 +29,6 @@
 #include <utils/identification.h>
 #include <collections/linked_list.h>
 #include <credentials/certificates/x509.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
 #include <credentials/keys/private_key.h>
 
 extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob,
@@ -75,7 +74,7 @@ struct private_x509_ac_t {
 	/**
 	 * Serial number of the holder certificate
 	 */
-	chunk_t holderSerial;
+	identification_t *holderSerial;
 
 	/**
 	 * ID representing the holder
@@ -98,14 +97,9 @@ struct private_x509_ac_t {
 	time_t notAfter;
 
 	/**
-	 * List of charging attributes
+	 * List of group attributes, as group_t
 	 */
-	ietf_attributes_t *charging;
-
-	/**
-	 * List of groub attributes
-	 */
-	ietf_attributes_t *groups;
+	linked_list_t *groups;
 
 	/**
 	 * Authority Key Identifier
@@ -153,6 +147,25 @@ struct private_x509_ac_t {
 	refcount_t ref;
 };
 
+/**
+ * Group definition, an IETF attribute
+ */
+typedef struct {
+	/** Attribute type */
+	ac_group_type_t type;
+	/* attribute value */
+	chunk_t value;
+} group_t;
+
+/**
+ * Clean up a group entry
+ */
+static void group_destroy(group_t *group)
+{
+	free(group->value.ptr);
+	free(group);
+}
+
 static chunk_t ASN1_noRevAvail_ext = chunk_from_chars(
 	0x30, 0x09,
 		  0x06, 0x03,
@@ -169,42 +182,41 @@ extern void x509_parse_generalNames(chunk_t blob, int level0, bool implicit,
 /**
  * parses a directoryName
  */
-static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
+static bool parse_directoryName(chunk_t blob, int level, bool implicit,
+								identification_t **name)
 {
-	bool has_directoryName;
-	linked_list_t *list = linked_list_create();
+	identification_t *directoryName;
+	enumerator_t *enumerator;
+	bool first = TRUE;
+	linked_list_t *list;
 
+	list = linked_list_create();
 	x509_parse_generalNames(blob, level, implicit, list);
-	has_directoryName = list->get_count(list) > 0;
 
-	if (has_directoryName)
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &directoryName))
 	{
-		enumerator_t *enumerator = list->create_enumerator(list);
-		identification_t *directoryName;
-		bool first = TRUE;
-
-		while (enumerator->enumerate(enumerator, (void**)&directoryName))
+		if (first)
 		{
-			if (first)
-			{
-				*name = directoryName;
-				first = FALSE;
-			}
-			else
-			{
-				DBG1(DBG_ASN, "more than one directory name - first selected");
-				directoryName->destroy(directoryName);
-			}
+			*name = directoryName;
+			first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_ASN, "more than one directory name - first selected");
+			directoryName->destroy(directoryName);
+			break;
 		}
-		enumerator->destroy(enumerator);
 	}
-	else
+	enumerator->destroy(enumerator);
+	list->destroy(list);
+
+	if (first)
 	{
 		DBG1(DBG_ASN, "no directoryName found");
+		return FALSE;
 	}
-
-	list->destroy(list);
-	return has_directoryName;
+	return TRUE;
 }
 
 /**
@@ -244,63 +256,131 @@ static void parse_roleSyntax(chunk_t blob, int level0)
 }
 
 /**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+													ASN1_BODY }, /*  1 */
+	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
+	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
+	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  4 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
+	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
+													ASN1_BODY }, /*  6 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
+	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
+	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }, /* 10 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT }
+};
+#define IETF_ATTR_OCTETS	 4
+#define IETF_ATTR_OID		 6
+#define IETF_ATTR_STRING	 8
+
+/**
+ * Parse group memberships, IETF attributes
+ */
+static bool parse_groups(private_x509_ac_t *this, chunk_t encoded, int level0)
+{
+	ac_group_type_t type;
+	group_t *group;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success;
+
+	parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded);
+	parser->set_top_level(parser, level0);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case IETF_ATTR_OCTETS:
+				type = AC_GROUP_TYPE_OCTETS;
+				break;
+			case IETF_ATTR_OID:
+				type = AC_GROUP_TYPE_OID;
+				break;
+			case IETF_ATTR_STRING:
+				type = AC_GROUP_TYPE_STRING;
+				break;
+			default:
+				continue;
+		}
+		INIT(group,
+			.type = type,
+			.value = chunk_clone(object),
+		);
+		this->groups->insert_last(this->groups, group);
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	return success;
+}
+
+/**
  * ASN.1 definition of an X509 attribute certificate
  */
 static const asn1Object_t acObjects[] =
 {
 	{ 0, "AttributeCertificate",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  0 */
 	{ 1,   "AttributeCertificateInfo",		ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  1 */
-	{ 2,	   "version",					ASN1_INTEGER,		  ASN1_DEF |
+	{ 2,       "version",					ASN1_INTEGER,		  ASN1_DEF |
 																  ASN1_BODY }, /*  2 */
-	{ 2,	   "holder",					ASN1_SEQUENCE,		  ASN1_NONE }, /*  3 */
-	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /*  4 */
-	{ 4,	       "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  5 */
-	{ 4,	       "serial",				ASN1_INTEGER,		  ASN1_BODY }, /*  6 */
+	{ 2,       "holder",					ASN1_SEQUENCE,		  ASN1_NONE }, /*  3 */
+	{ 3,         "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /*  4 */
+	{ 4,           "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  5 */
+	{ 4,           "serial",				ASN1_INTEGER,		  ASN1_BODY }, /*  6 */
 	{ 4,         "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
 																  ASN1_BODY }, /*  7 */
 	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /*  8 */
 	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /*  9 */
-	{ 3,	   "entityName",				ASN1_CONTEXT_C_1,	  ASN1_OPT |
+	{ 3,       "entityName",				ASN1_CONTEXT_C_1,	  ASN1_OPT |
 																  ASN1_OBJ  }, /* 10 */
 	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 11 */
-	{ 3,	     "objectDigestInfo",		ASN1_CONTEXT_C_2,	  ASN1_OPT  }, /* 12 */
-	{ 4,	       "digestedObjectType",	ASN1_ENUMERATED,	  ASN1_BODY }, /* 13 */
-	{ 4,	       "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+	{ 3,         "objectDigestInfo",		ASN1_CONTEXT_C_2,	  ASN1_OPT  }, /* 12 */
+	{ 4,           "digestedObjectType",	ASN1_ENUMERATED,	  ASN1_BODY }, /* 13 */
+	{ 4,           "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
 																  ASN1_BODY }, /* 14 */
 	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /* 15 */
 	{ 4,         "digestAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 16 */
 	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 17 */
-	{ 2,	   "v2Form",					ASN1_CONTEXT_C_0,	  ASN1_NONE }, /* 18 */
-	{ 3,	     "issuerName",				ASN1_SEQUENCE,		  ASN1_OPT |
+	{ 2,       "v2Form",					ASN1_CONTEXT_C_0,	  ASN1_NONE }, /* 18 */
+	{ 3,         "issuerName",				ASN1_SEQUENCE,		  ASN1_OPT |
 																  ASN1_OBJ  }, /* 19 */
 	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 20 */
-	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /* 21 */
-	{ 4,	       "issuerSerial",			ASN1_SEQUENCE,		  ASN1_NONE }, /* 22 */
-	{ 5,	         "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 23 */
-	{ 5,		 "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
+	{ 3,         "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /* 21 */
+	{ 4,           "issuerSerial",			ASN1_SEQUENCE,		  ASN1_NONE }, /* 22 */
+	{ 5,             "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 23 */
+	{ 5,         "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
 	{ 5,           "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
 																  ASN1_BODY }, /* 25 */
 	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 26 */
 	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 27 */
 	{ 3,       "objectDigestInfo",			ASN1_CONTEXT_C_1,	  ASN1_OPT  }, /* 28 */
-	{ 4,	       "digestInfo",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 29 */
-	{ 5,  	 "digestedObjectType",			ASN1_ENUMERATED,	  ASN1_BODY }, /* 30 */
-	{ 5,		 "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+	{ 4,           "digestInfo",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 29 */
+	{ 5,     "digestedObjectType",			ASN1_ENUMERATED,	  ASN1_BODY }, /* 30 */
+	{ 5,         "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
 																  ASN1_BODY }, /* 31 */
 	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 32 */
 	{ 5,           "digestAlgorithm",		ASN1_EOC,			  ASN1_RAW  }, /* 33 */
 	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 34 */
-	{ 2,	   "signature",					ASN1_EOC,			  ASN1_RAW  }, /* 35 */
-	{ 2,	   "serialNumber",				ASN1_INTEGER,		  ASN1_BODY }, /* 36 */
-	{ 2,	   "attrCertValidityPeriod",	ASN1_SEQUENCE,		  ASN1_NONE }, /* 37 */
-	{ 3,	     "notBeforeTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
-	{ 3,	     "notAfterTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
-	{ 2,	   "attributes",				ASN1_SEQUENCE,		  ASN1_LOOP }, /* 40 */
+	{ 2,       "signature",					ASN1_EOC,			  ASN1_RAW  }, /* 35 */
+	{ 2,       "serialNumber",				ASN1_INTEGER,		  ASN1_BODY }, /* 36 */
+	{ 2,       "attrCertValidityPeriod",	ASN1_SEQUENCE,		  ASN1_NONE }, /* 37 */
+	{ 3,         "notBeforeTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
+	{ 3,         "notAfterTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
+	{ 2,       "attributes",				ASN1_SEQUENCE,		  ASN1_LOOP }, /* 40 */
 	{ 3,       "attribute",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 41 */
 	{ 4,         "type",					ASN1_OID,			  ASN1_BODY }, /* 42 */
 	{ 4,         "values",					ASN1_SET, 			  ASN1_LOOP }, /* 43 */
 	{ 5,           "value",					ASN1_EOC, 			  ASN1_RAW  }, /* 44 */
-	{ 4, 	       "end loop",				ASN1_EOC,			  ASN1_END  }, /* 45 */
+	{ 4,           "end loop",				ASN1_EOC,			  ASN1_END  }, /* 45 */
 	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 46 */
 	{ 2,     "extensions",					ASN1_SEQUENCE,		  ASN1_LOOP }, /* 47 */
 	{ 3,       "extension",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 48 */
@@ -368,22 +448,26 @@ static bool parse_certificate(private_x509_ac_t *this)
 				}
 				break;
 			case AC_OBJ_HOLDER_ISSUER:
-				if (!parse_directoryName(object, level, FALSE, &this->holderIssuer))
+				if (!parse_directoryName(object, level, FALSE,
+										 &this->holderIssuer))
 				{
 					goto end;
 				}
 				break;
 			case AC_OBJ_HOLDER_SERIAL:
-				this->holderSerial = object;
+				this->holderSerial = identification_create_from_encoding(
+															ID_KEY_ID, object);
 				break;
 			case AC_OBJ_ENTITY_NAME:
-				if (!parse_directoryName(object, level, TRUE, &this->entityName))
+				if (!parse_directoryName(object, level, TRUE,
+										 &this->entityName))
 				{
 					goto end;
 				}
 				break;
 			case AC_OBJ_ISSUER_NAME:
-				if (!parse_directoryName(object, level, FALSE, &this->issuerName))
+				if (!parse_directoryName(object, level, FALSE,
+										 &this->issuerName))
 				{
 					goto end;
 				}
@@ -414,13 +498,14 @@ static bool parse_certificate(private_x509_ac_t *this)
 						DBG2(DBG_ASN, "  need to parse accessIdentity");
 						break;
 					case OID_CHARGING_IDENTITY:
-						DBG2(DBG_ASN, "-- > --");
-						this->charging = ietf_attributes_create_from_encoding(object);
-						DBG2(DBG_ASN, "-- < --");
+						DBG2(DBG_ASN, "  need to parse chargingIdentity");
 						break;
 					case OID_GROUP:
 						DBG2(DBG_ASN, "-- > --");
-						this->groups = ietf_attributes_create_from_encoding(object);
+						if (!parse_groups(this, object, level))
+						{
+							goto end;
+						}
 						DBG2(DBG_ASN, "-- < --");
 						break;
 					case OID_ROLE:
@@ -446,8 +531,9 @@ static bool parse_certificate(private_x509_ac_t *this)
 						DBG2(DBG_ASN, "  need to parse crlDistributionPoints");
 						break;
 					case OID_AUTHORITY_KEY_ID:
-						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
-													level, &this->authKeySerialNumber);
+						this->authKeyIdentifier =
+								x509_parse_authorityKeyIdentifier(object,
+											level, &this->authKeySerialNumber);
 						break;
 					case OID_TARGET_INFORMATION:
 						DBG2(DBG_ASN, "  need to parse targetInformation");
@@ -490,7 +576,7 @@ end:
 static chunk_t build_directoryName(asn1_t tag, chunk_t name)
 {
 	return asn1_wrap(tag, "m",
-		asn1_simple_object(ASN1_CONTEXT_C_4, name));
+				asn1_simple_object(ASN1_CONTEXT_C_4, name));
 }
 
 /**
@@ -499,14 +585,15 @@ static chunk_t build_directoryName(asn1_t tag, chunk_t name)
 static chunk_t build_holder(private_x509_ac_t *this)
 {
 	x509_t* x509 = (x509_t*)this->holderCert;
-	identification_t *issuer = this->holderCert->get_issuer(this->holderCert);
-	identification_t *subject = this->holderCert->get_subject(this->holderCert);
+	identification_t *issuer, *subject;
+
+	issuer = this->holderCert->get_issuer(this->holderCert);
+	subject = this->holderCert->get_subject(this->holderCert);
 
 	return asn1_wrap(ASN1_SEQUENCE, "mm",
 		asn1_wrap(ASN1_CONTEXT_C_0, "mm",
 			build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)),
-			asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))
-		),
+			asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))),
 		build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject)));
 }
 
@@ -515,10 +602,12 @@ static chunk_t build_holder(private_x509_ac_t *this)
  */
 static chunk_t build_v2_form(private_x509_ac_t *this)
 {
-	identification_t *subject = this->signerCert->get_subject(this->signerCert);
+	identification_t *subject;
 
+	subject = this->signerCert->get_subject(this->signerCert);
 	return asn1_wrap(ASN1_CONTEXT_C_0, "m",
-		build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject)));
+				build_directoryName(ASN1_SEQUENCE,
+					subject->get_encoding(subject)));
 }
 
 /**
@@ -531,7 +620,6 @@ static chunk_t build_attr_cert_validity(private_x509_ac_t *this)
 				asn1_from_time(&this->notAfter, ASN1_GENERALIZEDTIME));
 }
 
-
 /**
  * build attribute type
  */
@@ -547,8 +635,55 @@ static chunk_t build_attribute_type(int type, chunk_t content)
  */
 static chunk_t build_attributes(private_x509_ac_t *this)
 {
+	enumerator_t *enumerator;
+	group_t *group;
+	chunk_t values;
+	size_t size = 0, len;
+	u_char *pos;
+
+	/* precalculate the total size of all values */
+	enumerator = this->groups->create_enumerator(this->groups);
+	while (enumerator->enumerate(enumerator, &group))
+	{
+		len = group->value.len;
+		size += 1 + (len > 0) + (len >= 128) +
+				(len >= 256) + (len >= 65536) + len;
+	}
+	enumerator->destroy(enumerator);
+
+	pos = asn1_build_object(&values, ASN1_SEQUENCE, size);
+
+	enumerator = this->groups->create_enumerator(this->groups);
+	while (enumerator->enumerate(enumerator, &group))
+	{
+		chunk_t attr;
+		asn1_t type;
+
+		switch (group->type)
+		{
+			case AC_GROUP_TYPE_OCTETS:
+				type = ASN1_OCTET_STRING;
+				break;
+			case AC_GROUP_TYPE_STRING:
+				type = ASN1_UTF8STRING;
+				break;
+			case AC_GROUP_TYPE_OID:
+				type = ASN1_OID;
+				break;
+			default:
+				continue;
+		}
+		attr = asn1_simple_object(type, group->value);
+
+		memcpy(pos, attr.ptr, attr.len);
+		pos += attr.len;
+		free(attr.ptr);
+	}
+	enumerator->destroy(enumerator);
+
 	return asn1_wrap(ASN1_SEQUENCE, "m",
-		build_attribute_type(OID_GROUP, this->groups->get_encoding(this->groups)));
+				build_attribute_type(OID_GROUP,
+					asn1_wrap(ASN1_SEQUENCE, "m", values)));
 }
 
 /**
@@ -621,14 +756,11 @@ static chunk_t build_attr_cert_info(private_x509_ac_t *this)
  */
 static chunk_t build_ac(private_x509_ac_t *this)
 {
-	chunk_t signatureValue;
-	chunk_t attributeCertificateInfo;
+	chunk_t signatureValue, attributeCertificateInfo;
 
 	attributeCertificateInfo = build_attr_cert_info(this);
-
 	this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1,
 						  attributeCertificateInfo, &signatureValue);
-
 	return asn1_wrap(ASN1_SEQUENCE, "mmm",
 				attributeCertificateInfo,
 				asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
@@ -644,7 +776,11 @@ METHOD(ac_t, get_serial, chunk_t,
 METHOD(ac_t, get_holderSerial, chunk_t,
 	private_x509_ac_t *this)
 {
-	return this->holderSerial;
+	if (this->holderSerial)
+	{
+		return this->holderSerial->get_encoding(this->holderSerial);
+	}
+	return chunk_empty;
 }
 
 METHOD(ac_t, get_holderIssuer, identification_t*,
@@ -659,10 +795,28 @@ METHOD(ac_t, get_authKeyIdentifier, chunk_t,
 	return this->authKeyIdentifier;
 }
 
-METHOD(ac_t, get_groups, ietf_attributes_t*,
+/**
+ * Filter function for attribute enumeration
+ */
+static bool attr_filter(void *null, group_t **in, ac_group_type_t *type,
+						void *in2, chunk_t *out)
+{
+	if ((*in)->type == AC_GROUP_TYPE_STRING &&
+		!chunk_printable((*in)->value, NULL, 0))
+	{	/* skip non-printable strings */
+		return FALSE;
+	}
+	*type = (*in)->type;
+	*out = (*in)->value;
+	return TRUE;
+}
+
+METHOD(ac_t, create_group_enumerator, enumerator_t*,
 	private_x509_ac_t *this)
 {
-	return this->groups ? this->groups->get_ref(this->groups) : NULL;
+	return enumerator_create_filter(
+							this->groups->create_enumerator(this->groups),
+							(void*)attr_filter, NULL, NULL);
 }
 
 METHOD(certificate_t, get_type, certificate_type_t,
@@ -674,7 +828,11 @@ METHOD(certificate_t, get_type, certificate_type_t,
 METHOD(certificate_t, get_subject, identification_t*,
 	private_x509_ac_t *this)
 {
-	return this->entityName;
+	if (this->entityName)
+	{
+		return this->entityName;
+	}
+	return this->holderSerial;
 }
 
 METHOD(certificate_t, get_issuer, identification_t*,
@@ -686,13 +844,24 @@ METHOD(certificate_t, get_issuer, identification_t*,
 METHOD(certificate_t, has_subject, id_match_t,
 	private_x509_ac_t *this, identification_t *subject)
 {
-	return ID_MATCH_NONE;
+	id_match_t entity = ID_MATCH_NONE, serial = ID_MATCH_NONE;
+
+	if (this->entityName)
+	{
+		entity = this->entityName->matches(this->entityName, subject);
+	}
+	if (this->holderSerial)
+	{
+		serial = this->holderSerial->matches(this->holderSerial, subject);
+	}
+	return max(entity, serial);
 }
 
 METHOD(certificate_t, has_issuer, id_match_t,
 	private_x509_ac_t *this, identification_t *issuer)
 {
-	if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
+	if (issuer->get_type(issuer) == ID_KEY_ID &&
+		this->authKeyIdentifier.ptr &&
 		chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
 	{
 		return ID_MATCH_PERFECT;
@@ -808,9 +977,10 @@ METHOD(certificate_t, equals, bool,
 	{
 		return TRUE;
 	}
-	if (other->equals == (void*)equals)
+	if (other->equals == _equals)
 	{	/* skip allocation if we have the same implementation */
-		return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
+		return chunk_equals(this->encoding,
+							((private_x509_ac_t*)other)->encoding);
 	}
 	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
 	{
@@ -827,13 +997,13 @@ METHOD(certificate_t, destroy, void,
 	if (ref_put(&this->ref))
 	{
 		DESTROY_IF(this->holderIssuer);
+		DESTROY_IF(this->holderSerial);
 		DESTROY_IF(this->entityName);
 		DESTROY_IF(this->issuerName);
 		DESTROY_IF(this->holderCert);
 		DESTROY_IF(this->signerCert);
 		DESTROY_IF(this->signerKey);
-		DESTROY_IF(this->charging);
-		DESTROY_IF(this->groups);
+		this->groups->destroy_function(this->groups, (void*)group_destroy);
 		free(this->serialNumber.ptr);
 		free(this->authKeyIdentifier.ptr);
 		free(this->encoding.ptr);
@@ -869,9 +1039,10 @@ static private_x509_ac_t *create_empty(void)
 				.get_holderSerial = _get_holderSerial,
 				.get_holderIssuer = _get_holderIssuer,
 				.get_authKeyIdentifier = _get_authKeyIdentifier,
-				.get_groups = _get_groups,
+				.create_group_enumerator = _create_group_enumerator,
 			},
 		},
+		.groups = linked_list_create(),
 		.ref = 1,
 	);
 
@@ -914,6 +1085,27 @@ x509_ac_t *x509_ac_load(certificate_type_t type, va_list args)
 }
 
 /**
+ * Add groups from a list into AC group memberships
+ */
+static void add_groups_from_list(private_x509_ac_t *this, linked_list_t *list)
+{
+	enumerator_t *enumerator;
+	group_t *group;
+	char *name;
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		INIT(group,
+			.type = AC_GROUP_TYPE_STRING,
+			.value = chunk_clone(chunk_from_str(name)),
+		);
+		this->groups->insert_last(this->groups, group);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
  * See header.
  */
 x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
@@ -934,8 +1126,8 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
 			case BUILD_SERIAL:
 				ac->serialNumber = chunk_clone(va_arg(args, chunk_t));
 				continue;
-			case BUILD_IETF_GROUP_ATTR:
-				ac->groups = ietf_attributes_create_from_string(va_arg(args, char*));
+			case BUILD_AC_GROUP_STRINGS:
+				add_groups_from_list(ac, va_arg(args, linked_list_t*));
 				continue;
 			case BUILD_CERT:
 				ac->holderCert = va_arg(args, certificate_t*);
@@ -968,4 +1160,3 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
 	destroy(ac);
 	return NULL;
 }
-
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index ed850e8f5..9fd869e77 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -758,6 +758,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
 				case OID_OCSP_SIGNING:
 					this->flags |= X509_OCSP_SIGNER;
 					break;
+				case OID_MS_SMARTCARD_LOGON:
+					this->flags |= X509_MS_SMARTCARD_LOGON;
+					break;
 				default:
 					break;
 			}
@@ -2008,7 +2011,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
 	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
 	chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
-	chunk_t ikeIntermediate = chunk_empty;
+	chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -2139,6 +2142,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	{
 		ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
 	}
+	if (cert->flags & X509_MS_SMARTCARD_LOGON)
+	{
+		msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
+	}
 
 	if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
 		ocspSigning.ptr)
@@ -2146,9 +2153,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 		extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
 								asn1_wrap(ASN1_OCTET_STRING, "m",
-									asn1_wrap(ASN1_SEQUENCE, "mmmm",
+									asn1_wrap(ASN1_SEQUENCE, "mmmmm",
 										serverAuth, clientAuth, ikeIntermediate,
-										ocspSigning)));
+										ocspSigning, msSmartcardLogon)));
 	}
 
 	/* add subjectKeyIdentifier to CA and OCSP signer certificates */
@@ -2167,7 +2174,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	}
 
 	/* add the keyid authKeyIdentifier for non self-signed certificates */
-	if (sign_key)
+	if (sign_cert)
 	{
 		chunk_t keyid;
 
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 09c5a8539..ff0f0231f 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -252,7 +252,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 {
 	int oid;
 	signature_scheme_t scheme;
-	chunk_t certs, signature, encoding;
+	chunk_t certs = chunk_empty, signature, encoding;
 
 	switch (this->key->get_type(this->key))
 	{
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 15fea7ee0..54bef7357 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -52,9 +52,7 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_REGISTER(CERT_DECODE, x509_cert_load, TRUE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
 				PLUGIN_DEPENDS(HASHER, HASH_SHA1),
-				PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
-				PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
-				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
+				PLUGIN_DEPENDS(PUBKEY, KEY_ANY),
 
 		PLUGIN_REGISTER(CERT_ENCODE, x509_ac_gen, FALSE),
 			PLUGIN_PROVIDE(CERT_ENCODE, CERT_X509_AC),
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index c8f886c60..ca6164371 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 656be4efb..e58831c5b 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -402,7 +402,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c
index e373fbdb6..34ace2894 100644
--- a/src/libstrongswan/tests/suites/test_chunk.c
+++ b/src/libstrongswan/tests/suites/test_chunk.c
@@ -117,10 +117,13 @@ START_TEST(test_chunk_clear)
 	}
 	chunk_clear(&chunk);
 	/* check memory area of freed chunk. We can't use ck_assert() for this
-	 * test directly, as it might allocate data at the freed area. */
-	for (i = 0; i < 64; i++)
+	 * test directly, as it might allocate data at the freed area.  comparing
+	 * two bytes at once reduces the chances of conflicts if memory got
+	 * overwritten already */
+	for (i = 0; i < 64; i += 2)
 	{
-		if (ptr[i] != 0 && ptr[i] == i)
+		if (ptr[i] != 0 && ptr[i] == i &&
+			ptr[i+1] != 0 && ptr[i+1] == i+1)
 		{
 			cleared = FALSE;
 			break;
diff --git a/src/libstrongswan/tests/suites/test_enumerator.c b/src/libstrongswan/tests/suites/test_enumerator.c
index b5dde4650..9bd6d24f2 100644
--- a/src/libstrongswan/tests/suites/test_enumerator.c
+++ b/src/libstrongswan/tests/suites/test_enumerator.c
@@ -104,10 +104,10 @@ static void destroy_data(void *data)
  * filtered test
  */
 
-static bool filter(void *data, int *v, int *vo, int *w, int *wo,
-				   int *x, int *xo, int *y, int *yo, int *z, int *zo)
+static bool filter(int *data, int **v, int *vo, int **w, int *wo,
+				   int **x, int *xo, int **y, int *yo, int **z, int *zo)
 {
-	int val = *v;
+	int val = **v;
 
 	*vo = val++;
 	*wo = val++;
@@ -118,21 +118,21 @@ static bool filter(void *data, int *v, int *vo, int *w, int *wo,
 	return TRUE;
 }
 
-static bool filter_odd(void *data, int *item, int *out)
+static bool filter_odd(void *data, int **item, int *out)
 {
 	fail_if(data != (void*)101, "data does not match '101' in filter function");
-	*out = *item;
-	return *item % 2 == 0;
+	*out = **item;
+	return **item % 2 == 0;
 }
 
 START_TEST(test_filtered)
 {
-	int round, v, w, x, y, z;
+	int data[5] = {1,2,3,4,5}, round, v, w, x, y, z;
 	linked_list_t *list;
 	enumerator_t *enumerator;
 
-	list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
-										 (void*)5, NULL);
+	list = linked_list_create_with_items(&data[0], &data[1], &data[2], &data[3],
+										 &data[4], NULL);
 
 	round = 1;
 	enumerator = enumerator_create_filter(list->create_enumerator(list),
@@ -155,12 +155,12 @@ END_TEST
 
 START_TEST(test_filtered_filter)
 {
-	int count, x;
+	int data[5] = {1,2,3,4,5}, count, x;
 	linked_list_t *list;
 	enumerator_t *enumerator;
 
-	list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
-										 (void*)5, NULL);
+	list = linked_list_create_with_items(&data[0], &data[1], &data[2], &data[3],
+										 &data[4], NULL);
 
 	count = 0;
 	/* should also work without destructor, so set this manually */
diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c
index a46f5742c..7c0cb81bf 100644
--- a/src/libstrongswan/tests/suites/test_ntru.c
+++ b/src/libstrongswan/tests/suites/test_ntru.c
@@ -20,6 +20,8 @@
 #include <plugins/ntru/ntru_mgf1.h>
 #include <plugins/ntru/ntru_trits.h>
 #include <plugins/ntru/ntru_poly.h>
+#include <plugins/ntru/ntru_param_set.h>
+#include <plugins/ntru/ntru_private_key.h>
 #include <utils/test.h>
 
 IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
@@ -41,6 +43,18 @@ IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data, ntru_poly_t*,
 						  uint32_t indices_len_p, uint32_t indices_len_m,
 						  bool is_product_form)
 
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id,  ntru_param_set_t* ,
+						  ntru_param_set_id_t id)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create, ntru_private_key_t*,
+						  ntru_drbg_t *drbg, ntru_param_set_t *params)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create_from_data, ntru_private_key_t*,
+						  ntru_drbg_t *drbg, chunk_t data)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_public_key_create_from_data, ntru_public_key_t*,
+						  ntru_drbg_t *drbg, chunk_t data)
+
 /**
  * NTRU parameter sets to test
  */
@@ -86,7 +100,8 @@ START_TEST(test_ntru_drbg_strength)
 	entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	ck_assert(entropy != NULL);
 
-	drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy);
+	drbg = TEST_FUNCTION(ntru, ntru_drbg_create, strengths[_i].requested,
+						 chunk_empty, entropy);
 	if (strengths[_i].standard)
 	{
 		ck_assert(drbg != NULL);
@@ -243,7 +258,8 @@ START_TEST(test_ntru_drbg)
 
 	out = chunk_alloc(128);
 	entropy = test_rng_create(drbg_tests[_i].entropy);
-	drbg = ntru_drbg_create(256, drbg_tests[_i].pers_str, entropy);
+	drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, drbg_tests[_i].pers_str,
+						 entropy);
 	ck_assert(drbg != NULL);
 	ck_assert(drbg->reseed(drbg));
 	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
@@ -265,7 +281,7 @@ START_TEST(test_ntru_drbg_reseed)
 						  "libstrongswan.plugins.ntru.max_drbg_requests", 2);
 	out = chunk_alloc(128);
 	entropy = test_rng_create(drbg_tests[0].entropy);
-	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+	drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy);
 
 	/* bad output parameters */
 	ck_assert(!drbg->generate(drbg, 256, 0, out.ptr));
@@ -283,13 +299,13 @@ START_TEST(test_ntru_drbg_reseed)
 	drbg->destroy(drbg);
 
 	/* no entropy available for DRBG instantiation */
-	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+	drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy);
 	ck_assert(drbg == NULL);
 	entropy->destroy(entropy);
 
 	/* one automatic reseeding occurs */
 	entropy = test_rng_create(drbg_tests[0].entropy);
-	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+	drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy);
 	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
 	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
 	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
@@ -374,7 +390,7 @@ uint16_t indices_ees1171ep1[] = {
  */
 mgf1_test_t mgf1_tests[] = {
 	{	HASH_SHA1, 20, 60, 20, 15, 24,
-		chunk_from_chars( 
+		chunk_from_chars(
 						0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
 						0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
 						0x8C, 0x9B, 0xD5, 0x63, 0x57, 0x38, 0x11, 0xC2,
@@ -408,7 +424,7 @@ mgf1_test_t mgf1_tests[] = {
 						0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D,
 						0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C,
 						0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92,
-						0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14), 
+						0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14),
 		chunk_from_chars(
 				1, 2, 1, 0, 0,  1, 1, 1, 2, 0,  1, 0, 1, 1, 1,  0, 2, 0, 1, 1,
 				0, 0, 0, 1, 1,  0, 2, 0, 2, 2,	1, 2, 2, 2, 1,  2, 1, 1, 0, 0,
@@ -466,7 +482,7 @@ mgf1_test_t mgf1_tests[] = {
 						0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D,
 						0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB,
 						0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C,
-						0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28), 
+						0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28),
 		chunk_from_chars(
 						0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A,
 						0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46,
@@ -542,14 +558,17 @@ START_TEST(test_ntru_mgf1)
 	mask2.len = mgf1_tests[_i].ml2;
 	mask3.len = mgf1_tests[_i].ml3;
 
-	mgf1 = ntru_mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE);
+	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, HASH_UNKNOWN,
+						 mgf1_tests[_i].seed, TRUE);
 	ck_assert(mgf1 == NULL);
 
-	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE);
+	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
+						 chunk_empty, TRUE);
 	ck_assert(mgf1 == NULL);
 
 	/* return mask in allocated chunk */
-	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
+						 mgf1_tests[_i].seed, TRUE);
 	ck_assert(mgf1);
 
 	/* check hash size */
@@ -565,14 +584,16 @@ START_TEST(test_ntru_mgf1)
 	mgf1->destroy(mgf1);
 
 	/* copy mask to pre-allocated buffer */
-	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
+						 mgf1_tests[_i].seed, TRUE);
 	ck_assert(mgf1);
 	ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
 	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
 	mgf1->destroy(mgf1);
 
 	/* get mask in batches without hashing the seed */
-	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE);
+	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
+						 mgf1_tests[_i].hashed_seed, FALSE);
 	ck_assert(mgf1);
 
 	/* first batch */
@@ -600,16 +621,16 @@ START_TEST(test_ntru_trits)
 	ntru_trits_t *mask;
 	chunk_t trits;
 
-	mask = ntru_trits_create(mgf1_tests[_i].trits.len, HASH_UNKNOWN,
-							 mgf1_tests[_i].seed);
+	mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
+						 HASH_UNKNOWN, mgf1_tests[_i].seed);
 	ck_assert(mask == NULL);
 
-	mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg,
-							 chunk_empty);
+	mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
+						 mgf1_tests[_i].alg, chunk_empty);
 	ck_assert(mask == NULL);
 
-	mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg,
-							 mgf1_tests[_i].seed);
+	mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
+						 mgf1_tests[_i].alg, mgf1_tests[_i].seed);
 	ck_assert(mask);
 
 	trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
@@ -617,7 +638,8 @@ START_TEST(test_ntru_trits)
 	mask->destroy(mask);
 
 	/* generate a multiple of 5 trits */
-	mask = ntru_trits_create(10, mgf1_tests[_i].alg, mgf1_tests[_i].seed);
+	mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, mgf1_tests[_i].alg,
+						 mgf1_tests[_i].seed);
 	ck_assert(mask);
 
 	trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
@@ -638,17 +660,17 @@ START_TEST(test_ntru_poly)
 	seed.len = mgf1_tests[_i].seed_len;
 
 	p = &mgf1_tests[_i].poly_test[0];
-	poly = ntru_poly_create_from_seed(HASH_UNKNOWN, seed, p->c_bits, p->N, p->q,
-									  p->indices_len, p->indices_len,
-									  p->is_product_form);
+	poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, HASH_UNKNOWN, seed,
+						 p->c_bits, p->N, p->q, p->indices_len, p->indices_len,
+						 p->is_product_form);
 	ck_assert(poly == NULL);
 
 	for (n = 0; n < 2; n++)
 	{
 		p = &mgf1_tests[_i].poly_test[n];
-		poly = ntru_poly_create_from_seed(mgf1_tests[_i].alg, seed, p->c_bits,
-										  p->N, p->q, p->indices_len,
-										  p->indices_len, p->is_product_form);
+		poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed,
+							mgf1_tests[_i].alg, seed, p->c_bits, p->N, p->q,
+							p->indices_len, p->indices_len, p->is_product_form);
 		ck_assert(poly != NULL && poly->get_size(poly) == p->indices_size);
 
 		indices = poly->get_indices(poly);
@@ -748,8 +770,9 @@ START_TEST(test_ntru_ring_mult)
 	int i;
 
 	t = &ring_mult_tests[_i];
-	poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p,
-									  t->indices_len_m, t->is_product_form);
+	poly = TEST_FUNCTION(ntru, ntru_poly_create_from_data, t->indices, t->N,
+						 t->q, t->indices_len_p, t->indices_len_m,
+						 t->is_product_form);
 	ck_assert(poly != NULL);
 
 	c = malloc(t->N * sizeof(uint16_t));
@@ -776,8 +799,9 @@ START_TEST(test_ntru_array)
 
 	t = &ring_mult_tests[array_tests[_i]];
 
-	poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p,
-									  t->indices_len_m, t->is_product_form);
+	poly = TEST_FUNCTION(ntru, ntru_poly_create_from_data, t->indices, t->N,
+						 t->q, t->indices_len_p, t->indices_len_m,
+						 t->is_product_form);
 	ck_assert(poly != NULL);
 
 	c = malloc(t->N * sizeof(uint16_t));
@@ -793,62 +817,413 @@ START_TEST(test_ntru_array)
 }
 END_TEST
 
+START_TEST(test_ntru_param_set)
+{
+	ck_assert(TEST_FUNCTION(ntru, ntru_param_set_get_by_id, -1) == NULL);
+	ck_assert(TEST_FUNCTION(ntru, ntru_param_set_get_by_id, 16) == NULL);
+}
+END_TEST
+
+typedef struct {
+	ntru_param_set_id_t id;
+	chunk_t entropy;
+	chunk_t encoding;
+} privkey_test_t;
+
+privkey_test_t privkey_tests[] = {
+	{
+		NTRU_EES401EP1,
+		chunk_from_chars(
+						0x0C, 0x2F, 0x24, 0xE1, 0xA4, 0x81, 0x26, 0xA2,
+						0x6C, 0xEA, 0xCD, 0x1A, 0xF3, 0xEB, 0x3D, 0xBF,
+						0xEA, 0xAE, 0xC3, 0x0D, 0xC1),
+		chunk_from_chars(
+						0x02, 0x03, 0x00, 0x02, 0x04, 0x3E, 0xF3, 0xCB,
+						0x7A, 0x58, 0x13, 0x75, 0xBB, 0x87, 0xF5, 0xBF,
+						0x2E, 0x18, 0xAE, 0x03, 0xAF, 0xB8, 0x33, 0x85,
+						0xD8, 0xBF, 0x8A, 0xB5, 0x8C, 0xA6, 0xDF, 0x03,
+						0x90, 0x1E, 0xE4, 0x83, 0xA4, 0x95, 0x40, 0xB5,
+						0x08, 0x92, 0x29, 0xD8, 0x83, 0xA8, 0x42, 0xB2,
+						0x69, 0xC2, 0x00, 0x8B, 0xAE, 0x80, 0x00, 0x4F,
+						0x3D, 0xDD, 0xFB, 0xDB, 0x9A, 0xD8, 0x0F, 0xFF,
+						0xBC, 0x21, 0xD5, 0xE6, 0x04, 0x9C, 0xDD, 0x3B,
+						0x2D, 0x16, 0x4B, 0xC7, 0x3D, 0xBE, 0xDE, 0xBB,
+						0x6F, 0xF4, 0x8A, 0x31, 0xCD, 0x23, 0x19, 0xC2,
+						0x3C, 0xE1, 0xE2, 0xEE, 0xE4, 0xE7, 0x2E, 0xFC,
+						0x5C, 0xDD, 0xAD, 0x0C, 0x9D, 0x98, 0xC5, 0x18,
+						0x2A, 0x80, 0x21, 0x93, 0x61, 0xC4, 0x9A, 0x16,
+						0xE8, 0x9B, 0xF7, 0x3B, 0x6D, 0x06, 0x91, 0x9E,
+						0x71, 0x59, 0xBE, 0x8E, 0x65, 0x61, 0xB2, 0x69,
+						0x9C, 0x82, 0x58, 0x0D, 0x63, 0x7A, 0x1F, 0x2A,
+						0x1C, 0x2C, 0x92, 0x8C, 0x8D, 0xCA, 0x2B, 0x45,
+						0x24, 0x79, 0xDB, 0x7F, 0x1D, 0x2F, 0xAB, 0x88,
+						0x8C, 0x1D, 0xE3, 0x15, 0x8F, 0xCD, 0x46, 0x8C,
+						0x45, 0x20, 0x88, 0x1C, 0x17, 0xE0, 0xE5, 0x89,
+						0xF4, 0x60, 0x56, 0x3C, 0x6B, 0x9F, 0x2A, 0xD9,
+						0xD0, 0xAE, 0x3B, 0xB6, 0xC2, 0xB7, 0x58, 0xC6,
+						0x6E, 0x09, 0x36, 0x21, 0x0B, 0xDD, 0xE9, 0x52,
+						0x33, 0x27, 0x39, 0xC8, 0x51, 0x59, 0x69, 0x25,
+						0xC6, 0x3D, 0x19, 0x5C, 0x5E, 0x74, 0xD0, 0x62,
+						0xD9, 0x26, 0x90, 0xC7, 0x64, 0x92, 0xA8, 0x72,
+						0xD1, 0x77, 0x1F, 0x78, 0xC5, 0x11, 0xBD, 0x5D,
+						0x3C, 0x1B, 0x1F, 0x8B, 0x5B, 0xE4, 0x5D, 0xA1,
+						0x27, 0x6D, 0x20, 0x24, 0x32, 0x53, 0xF3, 0xB0,
+						0xE6, 0x71, 0x61, 0xCC, 0xFC, 0x4A, 0x06, 0xDA,
+						0xBE, 0xD7, 0x9F, 0x2F, 0xEB, 0x44, 0xD0, 0x8A,
+						0x7D, 0x8E, 0x82, 0xF5, 0x84, 0xCF, 0x8E, 0xE5,
+						0x4B, 0xA4, 0x30, 0x77, 0xBD, 0x14, 0xB9, 0x75,
+						0x02, 0x68, 0xDF, 0x71, 0x89, 0x81, 0xF2, 0x95,
+						0xC3, 0x67, 0x6E, 0x37, 0xE4, 0xD0, 0xC9, 0x1E,
+						0x02, 0xDE, 0x2D, 0x79, 0x99, 0xE8, 0x7D, 0x5C,
+						0x99, 0xF2, 0x1A, 0xDE, 0x12, 0x9B, 0xD1, 0x83,
+						0x9B, 0x01, 0xD3, 0xEB, 0x2B, 0x8E, 0x9C, 0xA5,
+						0x19, 0xE8, 0x2E, 0xFE, 0x23, 0x6E, 0xAD, 0x8F,
+						0x3C, 0xAF, 0xB9, 0xE6, 0xDB, 0x07, 0xA4, 0x31,
+						0x02, 0x2B, 0x6A, 0xA0, 0xFB, 0x51, 0x6C, 0xD0,
+						0x26, 0xD5, 0xAD, 0x29, 0x65, 0x10, 0xCE, 0xF8,
+						0x84, 0x4D, 0x1E, 0x37, 0x92, 0xA2, 0xD1, 0xFA,
+						0xF6, 0xC0, 0x36, 0x4C, 0x23, 0x3A, 0x42, 0xAA,
+						0xB8, 0x0D, 0x4E, 0xD4, 0x40, 0x61, 0xD5, 0x36,
+						0x62, 0x23, 0x7C, 0x1C, 0x5E, 0xEA, 0x16, 0xAD,
+						0x4F, 0x30, 0xF9, 0x16, 0x99, 0xCE, 0xC5, 0x50,
+						0xAC, 0x8F, 0x6F, 0x98, 0xD7, 0xE3, 0x89, 0x6E,
+						0x3A, 0x12, 0xCE, 0xA7, 0xA4, 0x17, 0x74, 0xDC,
+						0xDB, 0xFA, 0xFF, 0xF9, 0x35, 0xD7, 0xF5, 0x77,
+						0x03, 0xF5, 0xBF, 0x81, 0x6C, 0x9F, 0x62, 0xA6,
+						0x8A, 0x5B, 0xA3, 0xEF, 0x9D, 0xC3, 0xF6, 0x3A,
+						0x6A, 0xC0, 0x42, 0x71, 0xAF, 0x90, 0xCA, 0x1D,
+						0x86, 0x78, 0xD7, 0x2C, 0xFE, 0xB6, 0x99, 0x15,
+						0x8C, 0x10, 0x42, 0x92, 0x2C, 0x05, 0x43, 0x92,
+						0x69, 0x05, 0x8D, 0x9E, 0xBC, 0xAB, 0x8F, 0x28,
+						0xAA, 0x4B, 0xFB, 0x25, 0xD9, 0xAD, 0x29, 0xFF,
+						0x33, 0x65, 0x14, 0xC3, 0x75, 0x1F, 0xCF, 0xFC,
+						0x20, 0x83, 0xBF, 0xB9, 0xA5, 0x4B, 0x7B, 0xD9,
+						0x07, 0x5C, 0xA1, 0xD1, 0x5A, 0x3E, 0x94, 0xF8,
+						0x03, 0xDE, 0xB8, 0x94, 0x11, 0x92, 0x80, 0x77,
+						0x57, 0x45, 0x1E, 0x6B, 0xA5, 0x15, 0xDB, 0x48,
+						0xB6, 0x9E, 0x02, 0xF1, 0x61, 0x4A, 0xAC, 0x1D,
+						0x49, 0xBC, 0xA9, 0x3F, 0x03, 0x50, 0xAC, 0x02,
+						0x8E, 0x84, 0xE0, 0x12, 0x37, 0x76, 0xBC, 0x4A,
+						0xF9, 0xC6, 0x74, 0x36, 0xFC, 0x92, 0x1D, 0x59,
+						0x0C, 0x04, 0xD2, 0x14, 0xB7, 0x11, 0xE9, 0xE2,
+						0xFE, 0x0C, 0xE1, 0xDA, 0x8B, 0xCA, 0x10, 0xA1,
+						0x60, 0xB6, 0x57, 0x51, 0x00, 0xD6, 0x5B, 0x55,
+						0x09, 0x60, 0xE8, 0x00, 0x40, 0x45, 0x56, 0xBA,
+						0x83, 0x1E, 0x36, 0x12, 0x59, 0x4B, 0x19, 0x00,
+						0x53, 0xAE, 0x62, 0xA6, 0x29, 0x39, 0xED, 0x87,
+						0x24, 0x37, 0x1E, 0x1B, 0xCF, 0x3F, 0x3A, 0x71,
+						0x31, 0xB5, 0x50, 0x8D, 0x4B, 0x53, 0x53, 0x75,
+						0x3F, 0x33, 0x39, 0x09, 0x2A, 0x78, 0xA8, 0x71,
+						0x3E, 0x63, 0xC5, 0x61, 0x73, 0xB6, 0xE1, 0x71,
+						0x16, 0xDA, 0x06, 0xBF, 0x3F, 0x22, 0x74, 0x89,
+						0x08, 0xD2, 0x05, 0x0B, 0x16, 0xC8, 0xF0, 0x17,
+						0x4E, 0xA2, 0x65, 0x67, 0x6D, 0x02)
+	},
+	{
+		NTRU_EES743EP1,
+		chunk_from_chars(
+						0x9B, 0xAB, 0x57, 0xDB, 0x2C, 0x60, 0x83, 0x48,
+						0x9F, 0xC9, 0x70, 0x8F, 0x69, 0xF7, 0xB4, 0xBB,
+						0x63, 0x5C, 0x9A, 0x63, 0x07, 0x80, 0x17, 0xD3,
+						0xCD, 0xB1, 0x57, 0x79, 0xFE, 0x8D, 0x81, 0x70,
+						0xEB, 0x50, 0xFA, 0x05, 0xFB, 0x97, 0xB2, 0xAB,
+						0x25, 0xED, 0xD8, 0x18, 0x1C, 0xFE, 0x96, 0x7D),
+		chunk_from_chars(
+						0x02, 0x03, 0x00, 0x06, 0x10, 0x14, 0x53, 0x73,
+						0x56, 0xF5, 0xA9, 0x34, 0xDE, 0xA6, 0x4D, 0x46,
+						0x05, 0x9E, 0x80, 0xAE, 0xB6, 0x74, 0x91, 0xFF,
+						0xFB, 0x48, 0xD3, 0x5C, 0x61, 0x12, 0x46, 0x02,
+						0x9F, 0x53, 0x45, 0x87, 0x47, 0xBD, 0x6B, 0x26,
+						0xF7, 0x36, 0xD3, 0x99, 0x1B, 0xD7, 0xEA, 0xA3,
+						0xA8, 0x94, 0xFF, 0x93, 0x46, 0x7C, 0x2C, 0x5F,
+						0x87, 0x8C, 0x38, 0xB3, 0x7B, 0xC6, 0x49, 0xE2,
+						0x88, 0xCA, 0x67, 0x89, 0xD0, 0x6D, 0x7C, 0xAE,
+						0x7C, 0x98, 0x84, 0xDA, 0x6B, 0x93, 0x92, 0xEF,
+						0x4A, 0xD1, 0x4A, 0xD2, 0x5B, 0x13, 0xF8, 0x59,
+						0x15, 0x2E, 0xBC, 0x70, 0x8D, 0x2D, 0xA9, 0x47,
+						0xA1, 0x99, 0x19, 0x3F, 0x67, 0xE8, 0x18, 0xA7,
+						0x17, 0x07, 0xB3, 0x14, 0xF6, 0x20, 0xA1, 0xD8,
+						0x33, 0xE8, 0x08, 0x6A, 0xC1, 0x39, 0x99, 0x08,
+						0xB4, 0x88, 0xEB, 0x48, 0x7D, 0xFB, 0xF5, 0xEF,
+						0x03, 0x0D, 0x25, 0xB7, 0x98, 0xF3, 0xF1, 0x15,
+						0x63, 0xE4, 0x0F, 0xFD, 0x54, 0x9F, 0x56, 0xE9,
+						0xD1, 0x44, 0xE5, 0x89, 0x66, 0x14, 0x91, 0x1C,
+						0xFD, 0xD6, 0xFD, 0x38, 0xAE, 0x39, 0xE3, 0xF7,
+						0xCD, 0x77, 0xC2, 0xEA, 0x2E, 0xE4, 0xB7, 0x2B,
+						0xBA, 0x7A, 0xD1, 0x75, 0xB8, 0x28, 0x65, 0x18,
+						0xF4, 0xC6, 0xBD, 0xD0, 0x17, 0x7E, 0xEA, 0x86,
+						0x7E, 0xFC, 0x95, 0xD6, 0x4C, 0x92, 0x01, 0xC3,
+						0xFF, 0x04, 0x9B, 0xF8, 0xD6, 0xB3, 0x8F, 0x72,
+						0xEF, 0x64, 0x09, 0x61, 0xF8, 0xE4, 0x48, 0xFC,
+						0x0D, 0xEE, 0xEF, 0xA2, 0x9F, 0x3A, 0x2B, 0x1A,
+						0xFB, 0x8B, 0xA0, 0x9C, 0x11, 0x0B, 0x97, 0x75,
+						0x30, 0x7C, 0xB8, 0x9F, 0xEE, 0x3B, 0x53, 0x85,
+						0x7D, 0xE9, 0xCB, 0xC4, 0x4D, 0xD7, 0x7F, 0x59,
+						0x10, 0x72, 0x19, 0x3A, 0xC9, 0x38, 0xFE, 0xE8,
+						0xB3, 0x06, 0x55, 0x8D, 0xA2, 0x5A, 0x3D, 0x79,
+						0x67, 0x0E, 0x90, 0xC9, 0x25, 0x6D, 0x45, 0x9C,
+						0x39, 0x79, 0x5F, 0x18, 0x35, 0x9F, 0xC1, 0x49,
+						0x08, 0x6F, 0x1C, 0x47, 0x09, 0x0D, 0x49, 0x7C,
+						0x3C, 0x7B, 0xB1, 0x09, 0x92, 0x1C, 0x4E, 0x5A,
+						0xDA, 0x74, 0x9E, 0xBB, 0x55, 0x9D, 0xBB, 0x1E,
+						0x43, 0x28, 0x62, 0xAF, 0x02, 0xB0, 0x1A, 0xEA,
+						0x13, 0x0A, 0x70, 0x0F, 0x60, 0x0F, 0x62, 0xA2,
+						0x4E, 0x1F, 0xB2, 0xEA, 0x06, 0xDD, 0x18, 0x02,
+						0x6C, 0xF3, 0x82, 0xF1, 0x80, 0x7F, 0xA7, 0x2F,
+						0xCC, 0xC6, 0x18, 0xEA, 0xFF, 0x1F, 0xAD, 0xC6,
+						0xBA, 0x0C, 0x0E, 0x04, 0xB2, 0x58, 0x1D, 0xB6,
+						0x01, 0xA3, 0x97, 0xDF, 0x7D, 0x9B, 0xB5, 0x0A,
+						0xAD, 0x30, 0x2B, 0xC5, 0x67, 0x40, 0x07, 0xF1,
+						0xD5, 0x6C, 0x11, 0x10, 0xE1, 0x69, 0x30, 0xAD,
+						0x90, 0x06, 0xDB, 0xF8, 0xEA, 0x92, 0x9B, 0x39,
+						0x57, 0x38, 0x7B, 0xE4, 0xB2, 0xA2, 0x89, 0xFD,
+						0xB1, 0x6D, 0x88, 0x41, 0x62, 0x4D, 0x18, 0xB6,
+						0x3F, 0x12, 0x81, 0xDE, 0xE6, 0xDC, 0x4A, 0x31,
+						0x61, 0x26, 0xB1, 0x4B, 0x95, 0xC1, 0x69, 0xDC,
+						0xDC, 0xAC, 0xD0, 0x15, 0xFC, 0x21, 0xC5, 0x20,
+						0x5F, 0x97, 0x76, 0x41, 0xC1, 0xF2, 0xD7, 0x95,
+						0x1D, 0x25, 0x23, 0x36, 0x86, 0xFA, 0x7E, 0xF4,
+						0x14, 0x9F, 0x9D, 0x9F, 0xB2, 0xBB, 0x25, 0x1D,
+						0xD5, 0x7A, 0x6F, 0x9E, 0xF7, 0xEF, 0x9D, 0x63,
+						0x1E, 0xD5, 0xDE, 0x6A, 0xE6, 0x46, 0x48, 0x1F,
+						0xE1, 0x0C, 0x4D, 0x82, 0xC9, 0x19, 0x3B, 0x65,
+						0xA4, 0x06, 0x13, 0xB7, 0x04, 0xB1, 0x62, 0xF7,
+						0x08, 0xAE, 0xED, 0x42, 0x6D, 0xCC, 0x6C, 0xA6,
+						0x06, 0x06, 0x41, 0x3E, 0x0C, 0x89, 0x4C, 0xBD,
+						0x00, 0x4F, 0x0E, 0xA9, 0x72, 0x06, 0x21, 0x82,
+						0xD2, 0xB6, 0x6C, 0xB0, 0xB0, 0x01, 0x5B, 0xDD,
+						0x05, 0xCE, 0x71, 0x6E, 0x00, 0x58, 0xC7, 0xA6,
+						0x5B, 0xF6, 0xFB, 0x6B, 0x62, 0xB1, 0xE8, 0x4D,
+						0xAC, 0xC0, 0x6B, 0xF4, 0x40, 0x69, 0xEE, 0x0D,
+						0xE7, 0x82, 0x61, 0x8D, 0x35, 0x01, 0x97, 0x4E,
+						0xF2, 0xCC, 0xF5, 0x7F, 0xBF, 0xE4, 0xEC, 0x9C,
+						0xC4, 0xD2, 0xD9, 0x65, 0x78, 0x98, 0xD8, 0xB0,
+						0xFA, 0xA8, 0xFB, 0xB0, 0xCE, 0x22, 0x5D, 0x0B,
+						0x27, 0xDF, 0x0E, 0x63, 0x42, 0xFE, 0x89, 0x13,
+						0x99, 0xB2, 0x02, 0x0B, 0xF6, 0x04, 0xB6, 0xAF,
+						0x9F, 0x8C, 0xA6, 0x17, 0x0D, 0xD9, 0x5B, 0x45,
+						0xE4, 0x08, 0x53, 0x51, 0xE0, 0xD5, 0x22, 0x72,
+						0xBE, 0xAD, 0x74, 0x69, 0xB9, 0xFB, 0x91, 0xF8,
+						0xC1, 0x89, 0x28, 0x71, 0x27, 0x62, 0xB1, 0xF0,
+						0xFD, 0x78, 0xBC, 0x82, 0xFE, 0x76, 0xBE, 0x7B,
+						0x47, 0x79, 0x32, 0x71, 0xAD, 0xD6, 0x76, 0x46,
+						0xFB, 0x32, 0xE8, 0x4B, 0x98, 0x9A, 0xC6, 0x85,
+						0xF2, 0xF1, 0x8A, 0xEC, 0xC2, 0x4E, 0x9B, 0x2F,
+						0x2D, 0x6F, 0xC9, 0x9B, 0xB6, 0x14, 0x35, 0x6D,
+						0xD6, 0x5B, 0xF3, 0x02, 0x5A, 0xE5, 0xBD, 0x00,
+						0xF7, 0x6E, 0x51, 0xA7, 0xDB, 0x19, 0xAE, 0x01,
+						0x01, 0x05, 0x94, 0x23, 0xF7, 0x5B, 0x07, 0x79,
+						0xFF, 0x39, 0x58, 0x9C, 0x2A, 0xF7, 0x7E, 0x5D,
+						0x81, 0xF9, 0x59, 0xFE, 0xB9, 0x9A, 0x96, 0x63,
+						0x1F, 0x65, 0xF6, 0xF0, 0x3D, 0xEA, 0xD7, 0xC2,
+						0x8A, 0xCF, 0xB5, 0x58, 0x74, 0x77, 0x23, 0xD6,
+						0x72, 0x58, 0xA8, 0xAE, 0x31, 0x8A, 0x59, 0xEA,
+						0x69, 0x14, 0x6A, 0x20, 0x78, 0x79, 0x28, 0x5A,
+						0xE1, 0x76, 0x6F, 0xA6, 0x1A, 0x9E, 0x47, 0xD2,
+						0xAF, 0x63, 0xF8, 0x06, 0xF6, 0xD8, 0xD5, 0x14,
+						0xA8, 0xD1, 0xEE, 0x96, 0xCE, 0xBB, 0x8E, 0x22,
+						0x69, 0x2F, 0x52, 0x06, 0xB6, 0x6F, 0xC8, 0x99,
+						0x96, 0xEA, 0xC6, 0x1D, 0x96, 0x4C, 0x69, 0x95,
+						0xFE, 0x74, 0x04, 0x3C, 0x55, 0xD9, 0x5F, 0xE0,
+						0x41, 0x21, 0x43, 0x21, 0x5A, 0x50, 0x5D, 0x8B,
+						0xE8, 0xB2, 0x51, 0x1B, 0x7C, 0x63, 0x50, 0xAE,
+						0x97, 0x4F, 0xBA, 0x7D, 0xF2, 0xB6, 0xB6, 0x16,
+						0x1D, 0x47, 0x9E, 0x19, 0x68, 0xD4, 0x6B, 0x2B,
+						0x75, 0xCD, 0xAE, 0x65, 0x33, 0x38, 0xF6, 0x6D,
+						0xC7, 0x3E, 0x46, 0x98, 0x9E, 0x98, 0x8B, 0x45,
+						0x11, 0xA7, 0x12, 0x05, 0xB0, 0x01, 0xC3, 0x51,
+						0xA0, 0xEE, 0x7C, 0x16, 0xD1, 0x42, 0x96, 0xC4,
+						0xF0, 0x7B, 0x71, 0xCD, 0x50, 0x38, 0xA4, 0xB0,
+						0x6E, 0x6F, 0xE0, 0xBD, 0xC4, 0xF7, 0x96, 0x2B,
+						0xF1, 0x6D, 0x9F, 0xF3, 0x71, 0x89, 0xFA, 0xB4,
+						0x44, 0xA4, 0x32, 0xDC, 0xB2, 0x55, 0x13, 0x31,
+						0x83, 0x29, 0x66, 0x21, 0x3E, 0x89, 0xF8, 0x78,
+						0x97, 0x9C, 0x64, 0xF9, 0x2C, 0x0A, 0x88, 0xBC,
+						0xCA, 0x6F, 0x83, 0x42, 0xF6, 0xD7, 0x00, 0xC4,
+						0x19, 0x52, 0xB0, 0x31, 0xA8, 0xBA, 0xE8, 0xD4,
+						0xAD, 0x4B, 0x5D, 0xC0, 0x01, 0x20, 0x6C, 0xBB,
+						0x1D, 0x9A, 0x1D, 0xD4, 0x19, 0xFD, 0x33, 0xAB,
+						0xA0, 0x54, 0x50, 0x91, 0xE9, 0x75, 0x5C, 0x7E,
+						0x7E, 0xB3, 0x24, 0x79, 0xAE, 0x10, 0x3C, 0xB4,
+						0xB7, 0x0A, 0x1D, 0x86, 0xAD, 0x06, 0x95, 0xCB,
+						0x84, 0x9B, 0x0E, 0x8B, 0x77, 0x7E, 0x3E, 0xD2,
+						0xA6, 0xDF, 0xAD, 0x4E, 0xFB, 0x69, 0x23, 0xAC,
+						0x7A, 0xCB, 0xAA, 0xB0, 0x22, 0xDD, 0xD2, 0xC6,
+						0xC7, 0xAD, 0xD7, 0xDE, 0xEC, 0x6F, 0x08, 0x41,
+						0x54, 0xD5, 0x52, 0xDC, 0x77, 0xE4, 0x72, 0xF9,
+						0x16, 0xB1, 0xC9, 0xAF, 0xB1, 0x3B, 0x18, 0x99,
+						0x20, 0x9F, 0x79, 0x63, 0x7B, 0x07, 0xC7, 0x35,
+						0xDF, 0xBB, 0xCE, 0x66, 0x93, 0x1B, 0xF5, 0x82,
+						0x25, 0x67, 0xC1, 0xF2, 0xF0, 0x89, 0x0F, 0xEF,
+						0x84, 0x0D, 0x63, 0xB6, 0x7B, 0xD0, 0x40, 0x8E,
+						0xDB, 0x94, 0xCC, 0x71, 0x3C, 0xDB, 0x36, 0x14,
+						0x34, 0xFD, 0xA0, 0xB0, 0xC1, 0x45, 0x31, 0xF8,
+						0x8D, 0xD8, 0x23, 0xB1, 0x05, 0x14, 0xA9, 0x55,
+						0x3A, 0x1A, 0x37, 0x48, 0x68, 0x89, 0x3F, 0x15,
+						0x25, 0xD4, 0x99, 0x53, 0x4C, 0x85, 0x98, 0x78,
+						0x1D, 0x35, 0x4A, 0x83, 0x79, 0x9A, 0x29, 0x90,
+						0x2B, 0x45, 0x76, 0x0C, 0x13, 0x80, 0x4A, 0xE0,
+						0x40, 0xED, 0x6B, 0x2E, 0x2A, 0x43, 0xA9, 0x28,
+						0xB0, 0x2F, 0x89, 0x01, 0x6B, 0x39, 0x8C, 0x5E,
+						0x80, 0x61, 0xD9, 0xEE, 0x0F, 0x41, 0x75, 0xB5,
+						0xAE, 0xB6, 0xC2, 0x42, 0x49, 0x8D, 0x89, 0xD8,
+						0xF4, 0x78, 0x1D, 0x90, 0x46, 0x26, 0x4C, 0x56,
+						0xB7, 0xC0, 0xD9, 0x98, 0x7B, 0x07, 0xA1, 0x20)
+	}
+};
+
+START_TEST(test_ntru_privkey)
+{
+	rng_t *entropy;
+	ntru_drbg_t *drbg;
+	ntru_private_key_t *privkey;
+	ntru_public_key_t *pubkey;
+	ntru_param_set_t *params;
+	uint32_t strength;
+	chunk_t encoding, privkey_encoding, pubkey_encoding;
+
+	params = TEST_FUNCTION(ntru, ntru_param_set_get_by_id,
+						   privkey_tests[_i].id);
+	strength = params->sec_strength_len * BITS_PER_BYTE;
+	entropy = test_rng_create(privkey_tests[_i].entropy);
+	drbg = TEST_FUNCTION(ntru, ntru_drbg_create, strength,
+						 chunk_from_str("IKE NTRU-KE"), entropy);
+	ck_assert(drbg != NULL);
+
+	privkey = TEST_FUNCTION(ntru, ntru_private_key_create, drbg, params);
+	ck_assert(privkey);
+	ck_assert(privkey->get_id(privkey) == privkey_tests[_i].id);
+
+	privkey_encoding = privkey->get_encoding(privkey);
+	encoding = privkey_tests[_i].encoding;
+	ck_assert(chunk_equals(privkey_encoding, encoding));
+
+	/* load private key as a packed blob */
+	privkey->destroy(privkey);
+	privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+							drbg, chunk_empty);
+	ck_assert(privkey == NULL);
+
+	encoding = chunk_clone(encoding);
+	encoding.ptr[0] = NTRU_PUBKEY_TAG;
+	privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+							drbg, encoding);
+	ck_assert(privkey == NULL);
+
+	encoding.ptr[0] = NTRU_PRIVKEY_TRITS_TAG;
+	privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+							drbg, encoding);
+	if (params->is_product_form)
+	{
+		ck_assert(privkey == NULL);
+	}
+	else
+	{
+		ck_assert(privkey != NULL);
+		privkey->destroy(privkey);
+	}
+
+	encoding.ptr[0] = NTRU_PRIVKEY_INDICES_TAG;
+	privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+							drbg, encoding);
+	if (params->is_product_form)
+	{
+		ck_assert(privkey != NULL);
+		privkey->destroy(privkey);
+	}
+	else
+	{
+		ck_assert(privkey == NULL);
+	}
+
+	encoding.ptr[0] = NTRU_PRIVKEY_DEFAULT_TAG;
+	encoding.ptr[1] = NTRU_OID_LEN - 1;
+	privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+							drbg, encoding);
+	ck_assert(privkey == NULL);
+
+	encoding.ptr[1] = NTRU_OID_LEN;
+	encoding.ptr[2] = 0xff;
+	privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+							drbg, encoding);
+	ck_assert(privkey == NULL);
+
+	encoding.ptr[2] = params->oid[0];
+	privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+							drbg, encoding);
+	privkey_encoding = privkey->get_encoding(privkey);
+	ck_assert(chunk_equals(privkey_encoding, encoding));
+
+	pubkey = privkey->get_public_key(privkey);
+	pubkey_encoding = pubkey->get_encoding(pubkey);
+
+	encoding.ptr[0] = NTRU_PUBKEY_TAG;
+	encoding.len = pubkey_encoding.len;
+	ck_assert(chunk_equals(pubkey_encoding, encoding));
+
+	/* load public key as a packed blob */
+	pubkey->destroy(pubkey);
+	pubkey = TEST_FUNCTION(ntru, ntru_public_key_create_from_data,
+						   drbg, encoding);
+	pubkey_encoding = pubkey->get_encoding(pubkey);
+	ck_assert(chunk_equals(pubkey_encoding, encoding));
+
+	chunk_free(&encoding);
+	privkey->destroy(privkey);
+	pubkey->destroy(pubkey);
+	drbg->destroy(drbg);
+	entropy->destroy(entropy);
+}
+END_TEST
+
 START_TEST(test_ntru_ke)
 {
 	chunk_t pub_key, cipher_text, i_shared_secret, r_shared_secret;
 	diffie_hellman_t *i_ntru, *r_ntru;
 	char buf[10];
-	int n, len;
+	int k, n, len;
 	status_t status;
 
+	k = (_i) / countof(parameter_sets);
+	n = (_i) % countof(parameter_sets);
+
 	len = snprintf(buf, sizeof(buf), "%N", diffie_hellman_group_names,
-				   params[_i].group);
+				   params[k].group);
 	ck_assert(len == 8);
-	ck_assert(streq(buf, params[_i].group_name));
-
-	for (n = 0; n < countof(parameter_sets); n++)
-	{
-		lib->settings->set_str(lib->settings,
-							  "libstrongswan.plugins.ntru.parameter_set",
-							   parameter_sets[n]);
+	ck_assert(streq(buf, params[k].group_name));
 
-		i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
-		ck_assert(i_ntru != NULL);
-		ck_assert(i_ntru->get_dh_group(i_ntru) == params[_i].group);
+	lib->settings->set_str(lib->settings,
+				"libstrongswan.plugins.ntru.parameter_set", parameter_sets[n]);
 
-		i_ntru->get_my_public_value(i_ntru, &pub_key);
-		ck_assert(pub_key.len > 0);
+	i_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
+	ck_assert(i_ntru != NULL);
+	ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group);
 
-		r_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
-		ck_assert(r_ntru != NULL);
+	i_ntru->get_my_public_value(i_ntru, &pub_key);
+	ck_assert(pub_key.len > 0);
 
-		r_ntru->set_other_public_value(r_ntru, pub_key);
-		r_ntru->get_my_public_value(r_ntru, &cipher_text);
-		ck_assert(cipher_text.len > 0);
+	r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
+	ck_assert(r_ntru != NULL);
 
-		status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
-		ck_assert(status == SUCCESS);
-		ck_assert(r_shared_secret.len > 0);
+	r_ntru->set_other_public_value(r_ntru, pub_key);
+	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	ck_assert(cipher_text.len > 0);
 
-		i_ntru->set_other_public_value(i_ntru, cipher_text);
-		status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+	status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
+	ck_assert(status == SUCCESS);
+	ck_assert(r_shared_secret.len > 0);
 
-		if (status == SUCCESS)
-		{
-			ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
-		}
-		else
-		{
-			ck_assert(i_shared_secret.len == 0);
-		}
+	i_ntru->set_other_public_value(i_ntru, cipher_text);
+	status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+	ck_assert(status == SUCCESS);
+	ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
 
-		chunk_clear(&i_shared_secret);
-		chunk_clear(&r_shared_secret);
-		chunk_free(&pub_key);
-		chunk_free(&cipher_text);
-		i_ntru->destroy(i_ntru);
-		r_ntru->destroy(r_ntru);
-	}
+	chunk_clear(&i_shared_secret);
+	chunk_clear(&r_shared_secret);
+	chunk_free(&pub_key);
+	chunk_free(&cipher_text);
+	i_ntru->destroy(i_ntru);
+	r_ntru->destroy(r_ntru);
 }
 END_TEST
 
@@ -1015,8 +1390,17 @@ Suite *ntru_suite_create()
 	tcase_add_loop_test(tc, test_ntru_array, 0, countof(array_tests));
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("param_set");
+	tcase_add_test(tc, test_ntru_param_set);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("privkey");
+	tcase_add_loop_test(tc, test_ntru_privkey, 0, countof(privkey_tests));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("ke");
-	tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params));
+	tcase_add_loop_test(tc, test_ntru_ke, 0,
+						countof(params) * countof(parameter_sets));
 	suite_add_tcase(s, tc);
 
 	tc = tcase_create("retransmission");
diff --git a/src/libstrongswan/tests/suites/test_vectors.c b/src/libstrongswan/tests/suites/test_vectors.c
index 242ac9d09..a1205d0be 100644
--- a/src/libstrongswan/tests/suites/test_vectors.c
+++ b/src/libstrongswan/tests/suites/test_vectors.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -15,13 +18,15 @@
 
 #include "test_suite.h"
 
-/*******************************************************************************
- * Check if test vectors have been successful during transform registration
- */
+#include <utils/test.h>
+
+IMPORT_FUNCTION_FOR_TESTS(crypto, verify_registered_algorithms, u_int,
+						  crypto_factory_t *factory);
 
 START_TEST(test_vectors)
 {
-	u_int failed = lib->crypto->get_test_vector_failures(lib->crypto);
+	u_int failed = TEST_FUNCTION(crypto, verify_registered_algorithms,
+								 lib->crypto);
 	fail_if(failed > 0, "%u test vectors failed", failed);
 }
 END_TEST
diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c
index 0b26ee128..5ec4198e7 100644
--- a/src/libstrongswan/tests/test_runner.c
+++ b/src/libstrongswan/tests/test_runner.c
@@ -22,6 +22,7 @@
 #include <collections/array.h>
 #include <utils/test.h>
 
+#include <stdlib.h>
 #include <dirent.h>
 #include <unistd.h>
 #include <limits.h>
@@ -32,31 +33,85 @@
 #define TTY(color) tty_escape_get(2, TTY_FG_##color)
 
 /**
- * Initialize the lookup table for testable functions (defined in libstrongswan)
+ * Initialize the lookup table for testable functions (defined in
+ * libstrongswan).  We don't use the constructor attribute as the order can't
+ * really be defined (clang does not support it and gcc does not adhere to it in
+ * the monolithic build).  The function here is a weak symbol in libstrongswan.
  */
-static void testable_functions_create() __attribute__ ((constructor(1000)));
-static void testable_functions_create()
+void testable_functions_create()
 {
-	testable_functions = hashtable_create(hashtable_hash_str,
-										  hashtable_equals_str, 8);
+	if (!testable_functions)
+	{
+		testable_functions = hashtable_create(hashtable_hash_str,
+											  hashtable_equals_str, 8);
+	}
 }
 
 /**
  * Destroy the lookup table for testable functions
  */
-static void testable_functions_destroy() __attribute__ ((destructor(1000)));
+static void testable_functions_destroy() __attribute__ ((destructor));
 static void testable_functions_destroy()
 {
-	testable_functions->destroy(testable_functions);
+	DESTROY_IF(testable_functions);
 	/* if leak detective is enabled plugins are not actually unloaded, which
 	 * means their destructor is called AFTER this one when the process
-	 * terminates, even though the priority says differently, make sure this
-	 * does not crash */
+	 * terminates, make sure this does not crash */
 	testable_functions = NULL;
 }
 
 /**
- * Load all available test suites
+ * Destroy a single test suite and associated data
+ */
+static void destroy_suite(test_suite_t *suite)
+{
+	test_case_t *tcase;
+
+	while (array_remove(suite->tcases, 0, &tcase))
+	{
+		array_destroy(tcase->functions);
+		array_destroy(tcase->fixtures);
+	}
+	free(suite);
+}
+
+/**
+ * Removes and destroys test suites that are not selected.
+ */
+static void filter_suites(array_t *loaded)
+{
+	enumerator_t *enumerator, *names;
+	hashtable_t *selected;
+	test_suite_t *suite;
+	char *suites, *name;
+
+	suites = getenv("TESTS_SUITES");
+	if (!suites)
+	{
+		return;
+	}
+	selected = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8);
+	names = enumerator_create_token(suites, ",", " ");
+	while (names->enumerate(names, &name))
+	{
+		selected->put(selected, name, name);
+	}
+	enumerator = array_create_enumerator(loaded);
+	while (enumerator->enumerate(enumerator, &suite))
+	{
+		if (!selected->get(selected, suite->name))
+		{
+			array_remove_at(loaded, enumerator);
+			destroy_suite(suite);
+		}
+	}
+	enumerator->destroy(enumerator);
+	selected->destroy(selected);
+	names->destroy(names);
+}
+
+/**
+ * Load all available test suites, or optionally only selected ones.
  */
 static array_t *load_suites(test_configuration_t configs[],
 							test_runner_init_t init)
@@ -91,6 +146,7 @@ static array_t *load_suites(test_configuration_t configs[],
 			array_insert(suites, -1, configs[i].suite());
 		}
 	}
+	filter_suites(suites);
 
 	if (lib->leak_detective)
 	{
@@ -112,16 +168,10 @@ static array_t *load_suites(test_configuration_t configs[],
 static void unload_suites(array_t *suites)
 {
 	test_suite_t *suite;
-	test_case_t *tcase;
 
 	while (array_remove(suites, 0, &suite))
 	{
-		while (array_remove(suite->tcases, 0, &tcase))
-		{
-			array_destroy(tcase->functions);
-			array_destroy(tcase->fixtures);
-		}
-		free(suite);
+		destroy_suite(suite);
 	}
 	array_destroy(suites);
 }
@@ -178,6 +228,9 @@ static bool call_fixture(test_case_t *tcase, bool up)
  */
 static bool pre_test(test_runner_init_t init)
 {
+	level_t level = LEVEL_SILENT;
+	char *verbosity;
+
 	library_init(NULL, "test-runner");
 
 	/* use non-blocking RNG to generate keys fast */
@@ -185,6 +238,9 @@ static bool pre_test(test_runner_init_t init)
 			"libstrongswan.plugins.random.random",
 			lib->settings->get_str(lib->settings,
 				"libstrongswan.plugins.random.urandom", "/dev/urandom"));
+	/* same for the gcrypt plugin */
+	lib->settings->set_default_str(lib->settings,
+			"libstrongswan.plugins.gcrypt.quick_random", "yes");
 
 	if (lib->leak_detective)
 	{
@@ -197,7 +253,12 @@ static bool pre_test(test_runner_init_t init)
 		library_deinit();
 		return FALSE;
 	}
-	dbg_default_set_level(LEVEL_SILENT);
+	verbosity = getenv("TESTS_VERBOSITY");
+	if (verbosity)
+	{
+		level = atoi(verbosity);
+	}
+	dbg_default_set_level(level);
 	return TRUE;
 }
 
@@ -254,7 +315,7 @@ static void sum_leaks(report_data_t *data, int count, size_t bytes,
  * Do library cleanup and optionally check for memory leaks
  */
 static bool post_test(test_runner_init_t init, bool check_leaks,
-					  array_t *failures, char *name, int i)
+					  array_t *failures, char *name, int i, int *leaks)
 {
 	report_data_t data = {
 		.failures = failures,
@@ -264,7 +325,15 @@ static bool post_test(test_runner_init_t init, bool check_leaks,
 
 	if (init)
 	{
-		init(FALSE);
+		if (test_restore_point())
+		{
+			init(FALSE);
+		}
+		else
+		{
+			library_deinit();
+			return FALSE;
+		}
 	}
 	if (check_leaks && lib->leak_detective)
 	{
@@ -274,7 +343,8 @@ static bool post_test(test_runner_init_t init, bool check_leaks,
 	}
 	library_deinit();
 
-	return data.leaks != 0;
+	*leaks = data.leaks;
+	return TRUE;
 }
 
 /**
@@ -346,7 +416,8 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init)
 		{
 			if (pre_test(init))
 			{
-				bool ok = FALSE, leaks = FALSE;
+				bool ok = FALSE;
+				int leaks = 0;
 
 				test_setup_timeout(tcase->timeout);
 
@@ -363,9 +434,11 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init)
 					{
 						call_fixture(tcase, FALSE);
 					}
-
 				}
-				leaks = post_test(init, ok, failures, tfun->name, i);
+				if (!post_test(init, ok, failures, tfun->name, i, &leaks))
+				{
+					ok = FALSE;
+				}
 
 				test_setup_timeout(0);
 
diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c
index 0f2e74b7c..fb40b05c1 100644
--- a/src/libstrongswan/tests/test_suite.c
+++ b/src/libstrongswan/tests/test_suite.c
@@ -136,7 +136,8 @@ static inline void test_failure()
 	else
 	{
 		pthread_kill(main_thread, SIGUSR1);
-		/* how can we stop just the thread? longjmp to a restore point? */
+		/* terminate thread to prevent it from going wild */
+		pthread_exit(NULL);
 	}
 }
 
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index eb167d6a4..0adfb31d0 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -496,6 +496,8 @@ void threads_deinit()
 	dummy1->destroy(dummy1);
 
 	main_thread->mutex->lock(main_thread->mutex);
+	main_thread->terminated = TRUE;
+	main_thread->detached_or_joined = TRUE;
 	thread_destroy(main_thread);
 	current_thread->destroy(current_thread);
 	id_mutex->destroy(id_mutex);
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 82eadcb97..af29e2100 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2014 Tobias Brunner
  * Copyright (C) 2006-2013 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -973,17 +973,20 @@ leak_detective_t *leak_detective_create()
 		},
 	);
 
+	if (getenv("LEAK_DETECTIVE_DISABLE") != NULL)
+	{
+		free(this);
+		return NULL;
+	}
+
 	lock = spinlock_create();
 	thread_disabled = thread_value_create(NULL);
 
 	init_static_allocations();
 
-	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
+	if (register_hooks())
 	{
-		if (register_hooks())
-		{
-			enable_leak_detective();
-		}
+		enable_leak_detective();
 	}
 	return &this->public;
 }
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 3fd0b8c93..ca70067d4 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -50,9 +50,7 @@ typedef void (*leak_detective_summary_cb_t)(void* user, int count, size_t bytes,
 										    int whitelisted);
 
 /**
- * Leak detective finds leaks and bad frees using malloc hooks.
- *
- * Currently leaks are reported to stderr on destruction.
+ * Leak detective finds leaks and invalid frees using malloc hooks.
  *
  * @todo Build an API for leak detective, allowing leak enumeration, statistics
  * and dynamic whitelisting.
@@ -62,13 +60,12 @@ struct leak_detective_t {
 	/**
 	 * Report leaks to the registered callback functions.
 	 *
-	 * @param detailed 		TRUE to resolve line/filename of leak (slow)
+	 * @param detailed 		TRUE to resolve line/filename of leaks (slow)
 	 */
 	void (*report)(leak_detective_t *this, bool detailed);
 
 	/**
-	 * Report current memory usage to out.
-	 * Set callback functions invoked during a report().
+	 * Set callback functions invoked when report() is called.
 	 *
 	 * @param cb			callback invoked for each detected leak
 	 * @param scb			summary callback invoked at end of report
@@ -78,11 +75,11 @@ struct leak_detective_t {
 						  leak_detective_summary_cb_t scb, void *user);
 
 	/**
-	 * Report current memory usage using a callbacks.
+	 * Report current memory usage using callback functions.
 	 *
 	 * @param cb			callback invoked for each allocation
 	 * @param scb			summary callback invoked at end of usage report
-	 * @param user			user data supplied to callbacks
+	 * @param user			user data to supply to callbacks
 	 */
 	void (*usage)(leak_detective_t *this, leak_detective_report_cb_t cb,
 				  leak_detective_summary_cb_t scb, void *user);
@@ -109,7 +106,10 @@ struct leak_detective_t {
 };
 
 /**
- * Create a leak_detective instance.
+ * Create a leak_detective instance, unless the LEAK_DETECTIVE_DISABLE
+ * environment variable is set.
+ *
+ * @return					leak detective instance
  */
 leak_detective_t *leak_detective_create();
 
diff --git a/src/libstrongswan/utils/settings.c b/src/libstrongswan/utils/settings.c
index 490490a1e..cf34fd1cf 100644
--- a/src/libstrongswan/utils/settings.c
+++ b/src/libstrongswan/utils/settings.c
@@ -1224,7 +1224,16 @@ static bool parse_file(linked_list_t *contents, char *file, int level,
 	{
 		if (errno == ENOENT)
 		{
-			DBG2(DBG_LIB, "'%s' does not exist, ignored", file);
+#ifdef STRONGSWAN_CONF
+			if (streq(file, STRONGSWAN_CONF))
+			{
+				DBG2(DBG_LIB, "'%s' does not exist, ignored", file);
+			}
+			else
+#endif
+			{
+				DBG1(DBG_LIB, "'%s' does not exist, ignored", file);
+			}
 			return TRUE;
 		}
 		DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno));
@@ -1244,8 +1253,8 @@ static bool parse_file(linked_list_t *contents, char *file, int level,
 	fseek(fd, 0, SEEK_END);
 	len = ftell(fd);
 	rewind(fd);
-	text = malloc(len + 1);
-	text[len] = '\0';
+	text = malloc(len + 2);
+	text[len] = text[len + 1] = '\0';
 	if (fread(text, 1, len, fd) != len)
 	{
 		free(text);
@@ -1287,7 +1296,7 @@ static bool parse_files(linked_list_t *contents, char *file, int level,
 
 	if (!strlen(pattern))
 	{
-		DBG2(DBG_LIB, "empty include pattern, ignored");
+		DBG1(DBG_LIB, "empty include pattern, ignored");
 		return TRUE;
 	}
 
@@ -1318,7 +1327,7 @@ static bool parse_files(linked_list_t *contents, char *file, int level,
 		status = glob(pat, GLOB_ERR, NULL, &buf);
 		if (status == GLOB_NOMATCH)
 		{
-			DBG2(DBG_LIB, "no files found matching '%s', ignored", pat);
+			DBG1(DBG_LIB, "no files found matching '%s', ignored", pat);
 		}
 		else if (status != 0)
 		{
@@ -1509,4 +1518,3 @@ settings_t *settings_create(char *file)
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/utils/test.c b/src/libstrongswan/utils/test.c
index 7de5a7661..624ac4b34 100644
--- a/src/libstrongswan/utils/test.c
+++ b/src/libstrongswan/utils/test.c
@@ -22,29 +22,46 @@
  */
 hashtable_t *testable_functions;
 
+/**
+ * The function that actually initializes the hash table above.  Provided
+ * by the test runner.
+ */
+void testable_functions_create() __attribute__((weak));
+
 /*
  * Described in header.
  */
 void testable_function_register(char *name, void *fn)
 {
-	if (testable_functions)
+	bool old = FALSE;
+
+	if (!testable_functions_create)
+	{	/* not linked to the test runner */
+		return;
+	}
+	else if (!fn && !testable_functions)
+	{	/* ignore as testable_functions has already been destroyed */
+		return;
+	}
+
+	if (lib && lib->leak_detective)
+	{
+		old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+	}
+	if (!testable_functions)
+	{
+		testable_functions_create();
+	}
+	if (fn)
+	{
+		testable_functions->put(testable_functions, name, fn);
+	}
+	else
+	{
+		testable_functions->remove(testable_functions, name);
+	}
+	if (lib && lib->leak_detective)
 	{
-		bool old = FALSE;
-		if (lib->leak_detective)
-		{
-			old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
-		}
-		if (fn)
-		{
-			testable_functions->put(testable_functions, name, fn);
-		}
-		else
-		{
-			testable_functions->remove(testable_functions, name);
-		}
-		if (lib->leak_detective)
-		{
-			lib->leak_detective->set_state(lib->leak_detective, old);
-		}
+		lib->leak_detective->set_state(lib->leak_detective, old);
 	}
 }
diff --git a/src/libstrongswan/utils/test.h b/src/libstrongswan/utils/test.h
index 5b7289244..a1b2a2d9b 100644
--- a/src/libstrongswan/utils/test.h
+++ b/src/libstrongswan/utils/test.h
@@ -51,7 +51,7 @@ void testable_function_register(char *name, void *fn);
  * @param fn		function to register
  */
 #define EXPORT_FUNCTION_FOR_TESTS(ns, fn) \
-static void testable_function_register_##fn() __attribute__ ((constructor(2000))); \
+static void testable_function_register_##fn() __attribute__ ((constructor)); \
 static void testable_function_register_##fn() \
 { \
 	testable_function_register(#ns "/" #fn, fn); \
@@ -65,32 +65,32 @@ static void testable_function_unregister_##fn() \
 /**
  * Import a registered function so that it can be called from tests.
  *
- * @note If the imported function is static (or no conflicting header files
- * are included) ret can be prefixed with static to declare the function static.
- *
- * @note We allocate an arbitrary amount of stack space, hopefully enough for
- * all arguments.
- *
  * @param ns		namespace of the function
  * @param name		name of the function
  * @param ret		return type of the function
  * @param ...		arguments of the function
  */
 #define IMPORT_FUNCTION_FOR_TESTS(ns, name, ret, ...) \
-ret name(__VA_ARGS__) \
-{ \
-	void (*fn)() = NULL; \
+static ret (*TEST_##ns##name)(__VA_ARGS__);
+
+/**
+ * Call a registered function from tests.
+ *
+ * @param ns		namespace of the function
+ * @param name		name of the function
+ * @param ...		arguments for the function
+ */
+#define TEST_FUNCTION(ns, name, ...) \
+({ \
 	if (testable_functions) \
 	{ \
-		fn = testable_functions->get(testable_functions, #ns "/" #name); \
+		TEST_##ns##name = testable_functions->get(testable_functions, #ns "/" #name); \
 	} \
-	if (fn) \
+	if (!TEST_##ns##name) \
 	{ \
-		void *args = __builtin_apply_args(); \
-		__builtin_return(__builtin_apply(fn, args, 16*sizeof(void*))); \
+		test_fail_msg(__FILE__, __LINE__, "function " #name " (" #ns ") not found"); \
 	} \
-	test_fail_msg(__FILE__, __LINE__, "function " #name " (" #ns ") not found"); \
-	__builtin_return(NULL); \
-}
+	TEST_##ns##name(__VA_ARGS__); \
+})
 
 #endif /** TEST_H_ @}*/
diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am
index b83ea8eba..d565a1479 100644
--- a/src/libtls/Makefile.am
+++ b/src/libtls/Makefile.am
@@ -8,6 +8,7 @@ ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
 	tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
 	tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+	tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \
 	tls_server.c tls.c
 
 libtls_la_LIBADD = \
@@ -18,5 +19,7 @@ tls_includedir = ${dev_headers}/tls
 nobase_tls_include_HEADERS = \
 	tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
 	tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
-	tls_server.h tls_handshake.h tls_application.h tls.h
+	tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h
 endif
+
+SUBDIRS = . tests
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 87ae2a63d..b6abd1eac 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -134,6 +134,7 @@ libtls_la_DEPENDENCIES =  \
 am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \
 	tls_fragmentation.lo tls_alert.lo tls_crypto.lo tls_prf.lo \
 	tls_socket.lo tls_eap.lo tls_cache.lo tls_peer.lo \
+	tls_aead_expl.lo tls_aead_impl.lo tls_aead_null.lo tls_aead.lo \
 	tls_server.lo tls.lo
 libtls_la_OBJECTS = $(am_libtls_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -176,6 +177,14 @@ am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
 SOURCES = $(libtls_la_SOURCES)
 DIST_SOURCES = $(libtls_la_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
+	ctags-recursive dvi-recursive html-recursive info-recursive \
+	install-data-recursive install-dvi-recursive \
+	install-exec-recursive install-html-recursive \
+	install-info-recursive install-pdf-recursive \
+	install-ps-recursive install-recursive installcheck-recursive \
+	installdirs-recursive pdf-recursive ps-recursive \
+	tags-recursive uninstall-recursive
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -184,8 +193,17 @@ am__can_run_installinfo = \
 am__nobase_tls_include_HEADERS_DIST = tls_protection.h \
 	tls_compression.h tls_fragmentation.h tls_alert.h tls_crypto.h \
 	tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
-	tls_server.h tls_handshake.h tls_application.h tls.h
+	tls_server.h tls_handshake.h tls_application.h tls_aead.h \
+	tls.h
 HEADERS = $(nobase_tls_include_HEADERS)
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+am__recursive_targets = \
+  $(RECURSIVE_TARGETS) \
+  $(RECURSIVE_CLEAN_TARGETS) \
+  $(am__extra_recursive_targets)
+AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
+	distdir
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 # Read a list of newline-separated strings from the standard input,
 # and print each of them once, without duplicates.  Input order is
@@ -205,7 +223,33 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
@@ -375,7 +419,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -425,6 +468,7 @@ ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
 	tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
 	tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+	tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \
 	tls_server.c tls.c
 
 libtls_la_LIBADD = \
@@ -434,9 +478,10 @@ libtls_la_LIBADD = \
 @USE_DEV_HEADERS_TRUE@nobase_tls_include_HEADERS = \
 @USE_DEV_HEADERS_TRUE@	tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
 @USE_DEV_HEADERS_TRUE@	tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
-@USE_DEV_HEADERS_TRUE@	tls_server.h tls_handshake.h tls_application.h tls.h
+@USE_DEV_HEADERS_TRUE@	tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h
 
-all: all-am
+SUBDIRS = . tests
+all: all-recursive
 
 .SUFFIXES:
 .SUFFIXES: .c .lo .o .obj
@@ -516,6 +561,10 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_aead_expl.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_aead_impl.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_aead_null.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_alert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_compression.Plo@am__quote@
@@ -582,14 +631,61 @@ uninstall-nobase_tls_includeHEADERS:
 	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
 	dir='$(DESTDIR)$(tls_includedir)'; $(am__uninstall_files_from_dir)
 
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run 'make' without going through this Makefile.
+# To change the values of 'make' variables: instead of editing Makefiles,
+# (1) if the variable is set in 'config.status', edit 'config.status'
+#     (which will cause the Makefiles to be regenerated when you run 'make');
+# (2) otherwise, pass the desired values on the 'make' command line.
+$(am__recursive_targets):
+	@fail=; \
+	if $(am__make_keepgoing); then \
+	  failcom='fail=yes'; \
+	else \
+	  failcom='exit 1'; \
+	fi; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
+tags: tags-recursive
 TAGS: tags
 
 tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
 	set x; \
 	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
 	$(am__define_uniq_tagged_files); \
 	shift; \
 	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
@@ -602,7 +698,7 @@ tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
 	      $$unique; \
 	  fi; \
 	fi
-ctags: ctags-am
+ctags: ctags-recursive
 
 CTAGS: ctags
 ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
@@ -615,7 +711,7 @@ GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
 	  && $(am__cd) $(top_srcdir) \
 	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
+cscopelist: cscopelist-recursive
 
 cscopelist-am: $(am__tagged_files)
 	list='$(am__tagged_files)'; \
@@ -664,22 +760,48 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+		am__skip_mode_fix=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
 check-am: all-am
-check: check-am
+check: check-recursive
 all-am: Makefile $(LTLIBRARIES) $(HEADERS)
-installdirs:
+installdirs: installdirs-recursive
+installdirs-am:
 	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(tls_includedir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 
-installcheck: installcheck-am
+installcheck: installcheck-recursive
 install-strip:
 	if test -z '$(STRIP)'; then \
 	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
@@ -701,92 +823,93 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
+clean: clean-recursive
 
 clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
 	mostlyclean-am
 
-distclean: distclean-am
+distclean: distclean-recursive
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
 
-dvi: dvi-am
+dvi: dvi-recursive
 
 dvi-am:
 
-html: html-am
+html: html-recursive
 
 html-am:
 
-info: info-am
+info: info-recursive
 
 info-am:
 
 install-data-am: install-ipseclibLTLIBRARIES \
 	install-nobase_tls_includeHEADERS
 
-install-dvi: install-dvi-am
+install-dvi: install-dvi-recursive
 
 install-dvi-am:
 
 install-exec-am:
 
-install-html: install-html-am
+install-html: install-html-recursive
 
 install-html-am:
 
-install-info: install-info-am
+install-info: install-info-recursive
 
 install-info-am:
 
 install-man:
 
-install-pdf: install-pdf-am
+install-pdf: install-pdf-recursive
 
 install-pdf-am:
 
-install-ps: install-ps-am
+install-ps: install-ps-recursive
 
 install-ps-am:
 
 installcheck-am:
 
-maintainer-clean: maintainer-clean-am
+maintainer-clean: maintainer-clean-recursive
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
-mostlyclean: mostlyclean-am
+mostlyclean: mostlyclean-recursive
 
 mostlyclean-am: mostlyclean-compile mostlyclean-generic \
 	mostlyclean-libtool
 
-pdf: pdf-am
+pdf: pdf-recursive
 
 pdf-am:
 
-ps: ps-am
+ps: ps-recursive
 
 ps-am:
 
 uninstall-am: uninstall-ipseclibLTLIBRARIES \
 	uninstall-nobase_tls_includeHEADERS
 
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
-	clean-ipseclibLTLIBRARIES clean-libtool cscopelist-am ctags \
-	ctags-am distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipseclibLTLIBRARIES install-man \
+.MAKE: $(am__recursive_targets) install-am install-strip
+
+.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
+	check-am clean clean-generic clean-ipseclibLTLIBRARIES \
+	clean-libtool cscopelist-am ctags ctags-am distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipseclibLTLIBRARIES install-man \
 	install-nobase_tls_includeHEADERS install-pdf install-pdf-am \
 	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
+	installcheck-am installdirs installdirs-am maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags tags-am uninstall uninstall-am \
diff --git a/src/libtls/tests/Makefile.am b/src/libtls/tests/Makefile.am
new file mode 100644
index 000000000..1c0e2f941
--- /dev/null
+++ b/src/libtls/tests/Makefile.am
@@ -0,0 +1,22 @@
+TESTS = tls_tests
+
+check_PROGRAMS = $(TESTS)
+
+tls_tests_SOURCES = \
+	suites/test_socket.c \
+	suites/test_suites.c \
+	tls_tests.h tls_tests.c
+
+tls_tests_CFLAGS = \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	-DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+	-DPLUGINS=\""${s_plugins}\"" \
+	@COVERAGE_CFLAGS@
+
+tls_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tls_tests_LDADD = \
+	$(top_builddir)/src/libtls/libtls.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in
new file mode 100644
index 000000000..0b8ba33c4
--- /dev/null
+++ b/src/libtls/tests/Makefile.in
@@ -0,0 +1,872 @@
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = tls_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libtls/tests
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = tls_tests$(EXEEXT)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_tls_tests_OBJECTS = suites/tls_tests-test_socket.$(OBJEXT) \
+	suites/tls_tests-test_suites.$(OBJEXT) \
+	tls_tests-tls_tests.$(OBJEXT)
+tls_tests_OBJECTS = $(am_tls_tests_OBJECTS)
+tls_tests_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+tls_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(tls_tests_CFLAGS) \
+	$(CFLAGS) $(tls_tests_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(tls_tests_SOURCES)
+DIST_SOURCES = $(tls_tests_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+tls_tests_SOURCES = \
+	suites/test_socket.c \
+	suites/test_suites.c \
+	tls_tests.h tls_tests.c
+
+tls_tests_CFLAGS = \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	-DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+	-DPLUGINS=\""${s_plugins}\"" \
+	@COVERAGE_CFLAGS@
+
+tls_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tls_tests_LDADD = \
+	$(top_builddir)/src/libtls/libtls.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libtls/tests/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libtls/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+suites/$(am__dirstamp):
+	@$(MKDIR_P) suites
+	@: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) suites/$(DEPDIR)
+	@: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/tls_tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tls_tests-test_suites.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+
+tls_tests$(EXEEXT): $(tls_tests_OBJECTS) $(tls_tests_DEPENDENCIES) $(EXTRA_tls_tests_DEPENDENCIES) 
+	@rm -f tls_tests$(EXEEXT)
+	$(AM_V_CCLD)$(tls_tests_LINK) $(tls_tests_OBJECTS) $(tls_tests_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+	-rm -f suites/*.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_tests-tls_tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tls_tests-test_socket.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tls_tests-test_suites.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+suites/tls_tests-test_socket.o: suites/test_socket.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_socket.Tpo -c -o suites/tls_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_socket.Tpo suites/$(DEPDIR)/tls_tests-test_socket.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_socket.c' object='suites/tls_tests-test_socket.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+
+suites/tls_tests-test_socket.obj: suites/test_socket.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_socket.Tpo -c -o suites/tls_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_socket.Tpo suites/$(DEPDIR)/tls_tests-test_socket.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_socket.c' object='suites/tls_tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+
+suites/tls_tests-test_suites.o: suites/test_suites.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_suites.o -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_suites.Tpo -c -o suites/tls_tests-test_suites.o `test -f 'suites/test_suites.c' || echo '$(srcdir)/'`suites/test_suites.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_suites.Tpo suites/$(DEPDIR)/tls_tests-test_suites.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_suites.c' object='suites/tls_tests-test_suites.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_suites.o `test -f 'suites/test_suites.c' || echo '$(srcdir)/'`suites/test_suites.c
+
+suites/tls_tests-test_suites.obj: suites/test_suites.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_suites.obj -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_suites.Tpo -c -o suites/tls_tests-test_suites.obj `if test -f 'suites/test_suites.c'; then $(CYGPATH_W) 'suites/test_suites.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_suites.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_suites.Tpo suites/$(DEPDIR)/tls_tests-test_suites.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_suites.c' object='suites/tls_tests-test_suites.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_suites.obj `if test -f 'suites/test_suites.c'; then $(CYGPATH_W) 'suites/test_suites.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_suites.c'; fi`
+
+tls_tests-tls_tests.o: tls_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT tls_tests-tls_tests.o -MD -MP -MF $(DEPDIR)/tls_tests-tls_tests.Tpo -c -o tls_tests-tls_tests.o `test -f 'tls_tests.c' || echo '$(srcdir)/'`tls_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tls_tests-tls_tests.Tpo $(DEPDIR)/tls_tests-tls_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tls_tests.c' object='tls_tests-tls_tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o tls_tests-tls_tests.o `test -f 'tls_tests.c' || echo '$(srcdir)/'`tls_tests.c
+
+tls_tests-tls_tests.obj: tls_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT tls_tests-tls_tests.obj -MD -MP -MF $(DEPDIR)/tls_tests-tls_tests.Tpo -c -o tls_tests-tls_tests.obj `if test -f 'tls_tests.c'; then $(CYGPATH_W) 'tls_tests.c'; else $(CYGPATH_W) '$(srcdir)/tls_tests.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tls_tests-tls_tests.Tpo $(DEPDIR)/tls_tests-tls_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tls_tests.c' object='tls_tests-tls_tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o tls_tests-tls_tests.obj `if test -f 'tls_tests.c'; then $(CYGPATH_W) 'tls_tests.c'; else $(CYGPATH_W) '$(srcdir)/tls_tests.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f suites/$(DEPDIR)/$(am__dirstamp)
+	-rm -f suites/$(am__dirstamp)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+	clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
+	ctags ctags-am distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
new file mode 100644
index 000000000..42a4607b7
--- /dev/null
+++ b/src/libtls/tests/suites/test_socket.c
@@ -0,0 +1,524 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_suite.h>
+
+#include <unistd.h>
+#include <errno.h>
+
+#include <processing/jobs/callback_job.h>
+#include <credentials/sets/mem_cred.h>
+
+#include "tls_socket.h"
+
+/**
+ * Credentials for authentication
+ */
+static mem_cred_t *creds;
+
+/**
+ * RSA private key, 2048 bit
+ */
+static char rsa[] = {
+	0x30,0x82,0x04,0xa4,0x02,0x01,0x00,0x02,0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc,
+	0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18,0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7,
+	0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea,0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49,
+	0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a,0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e,
+	0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59,0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40,
+	0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39,0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad,
+	0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc,0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30,
+	0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16,0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74,
+	0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6,0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7,
+	0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7,0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89,
+	0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6,0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91,
+	0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25,0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3,
+	0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f,0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6,
+	0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc,0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb,
+	0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a,0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57,
+	0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3,0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed,
+	0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0,0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00,
+	0x01,0x02,0x82,0x01,0x01,0x00,0xd9,0x5b,0x99,0x74,0x80,0xb4,0x57,0xcc,0x82,0x2a,
+	0x17,0x66,0x1d,0x3c,0xde,0xea,0xbd,0x11,0x40,0x03,0x62,0x47,0xe3,0xe5,0x2c,0x6b,
+	0x65,0x67,0x0f,0x0b,0x96,0x13,0x83,0x4c,0x71,0x58,0xfa,0xfe,0xe6,0xe9,0x37,0xeb,
+	0x98,0x51,0x73,0x48,0xcc,0xf9,0xe1,0x46,0x5b,0xfe,0x16,0xe1,0xc0,0xa5,0x75,0xf3,
+	0x4d,0x30,0x84,0x14,0x15,0x04,0x6f,0x3e,0xa3,0x03,0xbd,0xba,0x4f,0x5a,0x71,0xe9,
+	0x26,0xbf,0x5d,0x7a,0x93,0x22,0x98,0xb5,0xcf,0x51,0xc3,0xc7,0x51,0xb8,0x59,0x0a,
+	0xfb,0xd7,0xe5,0xa8,0x1d,0x0f,0x5c,0xfd,0x30,0x0e,0x71,0xd7,0x79,0xc4,0x60,0x55,
+	0x9e,0x1e,0x1c,0x0b,0x9a,0x40,0xb8,0x7a,0x8d,0xb2,0xec,0xb0,0x70,0x8a,0x19,0x5f,
+	0x1d,0x2e,0xde,0x90,0x8f,0x68,0x56,0x08,0xce,0x0c,0x08,0xde,0xc7,0xf8,0x13,0xef,
+	0xd2,0xbc,0x92,0xb6,0xfb,0xec,0xb6,0x04,0xf6,0x8f,0x7d,0x95,0xe9,0xeb,0xc7,0xfb,
+	0xcc,0x4f,0xad,0x41,0xf1,0x4c,0x79,0x07,0xdd,0x4b,0x40,0xb4,0x74,0x44,0x9a,0x06,
+	0x0a,0x0f,0xb2,0xda,0x12,0x46,0xe5,0xee,0x01,0x64,0xe5,0xf0,0x82,0x69,0xf9,0xf1,
+	0xe9,0x41,0x13,0x5a,0xee,0xc0,0x37,0x9a,0xbe,0x9a,0x9a,0x06,0x4b,0x52,0xd6,0xf3,
+	0x1b,0x30,0x64,0x93,0x3a,0x97,0xe1,0xdc,0x50,0x1f,0x46,0xc4,0x81,0x6a,0x17,0x52,
+	0x49,0x85,0xc6,0x85,0xb7,0x60,0xd4,0xf0,0xd1,0x6a,0xeb,0x50,0x8c,0xb7,0xeb,0x1f,
+	0x17,0x0e,0xf0,0xfd,0x67,0x03,0x7c,0x74,0x1a,0xac,0x66,0x81,0x00,0x45,0x5e,0xf3,
+	0xd9,0x9d,0x22,0x99,0xc4,0x11,0x02,0x81,0x81,0x00,0xfa,0x44,0x32,0x14,0xb2,0x82,
+	0x28,0x02,0x46,0x05,0xdd,0x8d,0xb1,0x9f,0x9e,0x6f,0x61,0xf2,0x01,0xa0,0x2b,0x76,
+	0xee,0x46,0xaa,0x2d,0x2d,0x5b,0xd2,0x67,0x90,0x36,0xbb,0xa0,0x07,0xdf,0x9b,0xad,
+	0x18,0x1e,0xa7,0xe6,0x36,0xc6,0x49,0xda,0xc5,0x0d,0x52,0x29,0x5a,0x40,0xcf,0xdf,
+	0x8d,0xd0,0xa3,0xc2,0x34,0x17,0x9f,0xb5,0xf1,0x67,0xac,0x29,0x10,0xc2,0x5c,0x62,
+	0xe3,0xe2,0x5c,0x9f,0x93,0xcc,0xb5,0xeb,0x16,0x64,0x44,0x9f,0x6b,0x5a,0xac,0x19,
+	0x09,0xff,0x4b,0x78,0x7f,0xec,0x5a,0xbd,0xe9,0xcb,0x74,0xbb,0x30,0x13,0xc5,0x25,
+	0x8b,0xac,0x8d,0xf9,0xa9,0x99,0x25,0xf5,0xce,0x07,0xb6,0x2b,0x1b,0x42,0xed,0x3a,
+	0x30,0x4a,0xfc,0x5f,0xf0,0xe2,0x26,0xa6,0x60,0x5d,0x02,0x81,0x81,0x00,0xf4,0x1a,
+	0xc2,0x7e,0xa0,0xa0,0xad,0x20,0x65,0x04,0xe8,0xf7,0xb0,0xb1,0x76,0x79,0x08,0x18,
+	0x58,0x93,0x21,0xf1,0x56,0x58,0x58,0x18,0x4a,0x5c,0x59,0x08,0x27,0x64,0x09,0xcb,
+	0x0b,0x0b,0x4e,0x26,0xc8,0x0b,0x87,0x67,0x40,0xc1,0xab,0x31,0x60,0xa6,0x78,0xdd,
+	0x78,0xc8,0x86,0x38,0xbd,0x19,0xde,0x0b,0x70,0x72,0xec,0x36,0x88,0x39,0x69,0x70,
+	0xda,0xa6,0x2e,0xf9,0x5c,0xd8,0x17,0xc5,0xfa,0xf8,0xa5,0xc9,0x9b,0xf0,0xfe,0x03,
+	0x71,0x57,0xfa,0x58,0x0f,0x33,0xc3,0xab,0xce,0xb0,0x5d,0xd0,0x40,0x07,0x9a,0x0b,
+	0xff,0xb9,0xaa,0x9d,0xc5,0x33,0x7f,0x5f,0x48,0x7e,0x54,0x82,0xd1,0xdf,0x75,0x69,
+	0xee,0xe5,0xf5,0x80,0x44,0xce,0x52,0x72,0x14,0x2c,0xe6,0xa7,0xd5,0x8d,0x02,0x81,
+	0x81,0x00,0xb8,0xf7,0x70,0x20,0x35,0xf2,0xd6,0x89,0x1f,0xa1,0xb4,0x26,0xc6,0x51,
+	0xd7,0xb2,0x30,0xac,0xc1,0xa0,0xd4,0x9e,0xf8,0xea,0x87,0x5a,0x0e,0x7d,0x1f,0xdb,
+	0xe5,0x0d,0x5e,0xcc,0x9f,0x25,0x18,0x14,0xed,0x8f,0xb2,0xbe,0x06,0x5b,0xb5,0x38,
+	0x18,0x8d,0x88,0xdd,0x01,0x54,0x87,0x8e,0x8d,0x6c,0xd7,0xab,0x6f,0xfe,0xc9,0xce,
+	0x9a,0x15,0xea,0x7b,0x0b,0x64,0xeb,0x0d,0x37,0xaa,0x14,0x94,0xe8,0x92,0xd3,0x1d,
+	0x66,0x16,0x43,0x55,0xa3,0xed,0x86,0xe6,0x96,0xa9,0xf5,0xe8,0xa0,0x7b,0x5a,0x71,
+	0xa4,0x7a,0xf7,0xd2,0x65,0x6d,0x27,0x37,0x61,0xac,0xed,0xdd,0xc9,0x08,0x64,0xb2,
+	0xf0,0x4c,0x68,0xca,0x21,0x42,0xec,0xbc,0x25,0xf7,0x35,0xe1,0xde,0xd1,0xf6,0x88,
+	0xdf,0x0d,0x02,0x81,0x80,0x44,0xb0,0xcb,0x0e,0x6b,0x11,0x0b,0xe6,0xd3,0xc6,0x7f,
+	0xf0,0x43,0x6e,0x8c,0xd2,0x1e,0x2f,0x0b,0xad,0xcb,0x9d,0x68,0x18,0xd0,0x21,0x75,
+	0xbb,0x6a,0xea,0x5a,0x7b,0x52,0x2e,0x2a,0xdb,0x71,0x90,0x84,0x36,0x8a,0x51,0xc9,
+	0xed,0x35,0xc9,0x5d,0x53,0x3b,0x2b,0xc7,0x73,0x56,0x21,0xdd,0x44,0xcc,0x31,0x17,
+	0xe1,0x9f,0x0a,0xf1,0x66,0x86,0x7f,0x55,0x67,0xf2,0x4c,0x05,0x8e,0x61,0x92,0x3a,
+	0xbf,0x81,0x97,0xac,0x24,0x32,0xb6,0xb1,0x4c,0x7a,0x8c,0x11,0x2b,0x15,0xe2,0xe0,
+	0xf4,0xcc,0x51,0x6f,0xd3,0x33,0xcc,0x30,0x98,0x04,0xa5,0x04,0xfb,0x2a,0xda,0x9b,
+	0x41,0xc1,0x72,0x56,0xb0,0xb5,0x0f,0xac,0x44,0x55,0xc3,0x54,0x99,0x62,0xa5,0xeb,
+	0x7b,0x7f,0x24,0xb7,0x79,0x02,0x81,0x80,0x0a,0x3b,0x9b,0x91,0x1d,0x9b,0x04,0x4e,
+	0xdf,0xd9,0xe6,0x47,0xf3,0x79,0xb7,0x17,0xcf,0x42,0xa5,0xde,0x94,0xf0,0xfe,0xed,
+	0x46,0xf6,0xaf,0x3e,0x6c,0x91,0x01,0x89,0x79,0x81,0xea,0x2b,0x82,0x68,0x0e,0xd8,
+	0x25,0xaf,0x79,0x8b,0x14,0xfd,0xf2,0x29,0x20,0x34,0x2d,0x0b,0x08,0x8c,0x3b,0x2b,
+	0xfc,0x75,0xe9,0x4e,0x21,0xa6,0xb2,0x35,0x67,0x8d,0x4c,0x90,0x94,0x02,0xd5,0x32,
+	0x23,0xc6,0xa0,0x92,0x2e,0xfa,0x97,0x48,0x5b,0x95,0xc3,0xf1,0xbc,0x6b,0xe8,0x4c,
+	0x92,0x6f,0x5e,0x3d,0xf9,0xbd,0x2c,0xf0,0x83,0x1c,0xe6,0xb3,0x45,0x68,0x32,0x8d,
+	0x85,0x20,0xcb,0x9d,0xd2,0x30,0x5a,0x57,0xa4,0x6e,0x27,0xb5,0x29,0x14,0xdb,0xf1,
+	0x4b,0x9a,0xc3,0xc1,0xc5,0x37,0x6d,0x1b,
+};
+
+/**
+ * ECDSA private key
+ */
+static char ecdsa[] = {
+	0x30,0x81,0xa4,0x02,0x01,0x01,0x04,0x30,0xc0,0x1f,0xfd,0x65,0xc6,0xc4,0x4c,0xb8,
+	0xff,0x56,0x08,0xb5,0xbd,0xb8,0xf5,0x93,0xf7,0x51,0x0e,0x92,0x1f,0x06,0xbf,0xa6,
+	0xd9,0x1d,0xae,0xa3,0x16,0x0d,0x0f,0xc9,0xd5,0x97,0x90,0x46,0xf1,0x98,0xa8,0x18,
+	0x07,0xba,0xcf,0x91,0x8e,0x07,0xed,0x88,0xa0,0x07,0x06,0x05,0x2b,0x81,0x04,0x00,
+	0x22,0xa1,0x64,0x03,0x62,0x00,0x04,0xd6,0xba,0xe1,0xf0,0x09,0x22,0x21,0x12,0x69,
+	0xed,0x0e,0xd5,0x02,0x8c,0xb8,0x52,0xbb,0x57,0x68,0x0e,0xf3,0xdb,0xb9,0xb1,0xee,
+	0x9c,0x67,0xa0,0xb8,0xdc,0x13,0x1e,0x5b,0x44,0x71,0x04,0xef,0x4e,0xe3,0xdd,0xf4,
+	0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3,0x5b,0xe6,0xde,0x0a,
+	0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e,0x5b,0x57,0xb0,0x01,
+	0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d,0x9a,0x1c,0x52,0x09,
+	0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97,
+};
+
+/**
+ * TLS certificate for RSA key
+ */
+static char rsa_crt[] = {
+	0x30,0x82,0x03,0x1f,0x30,0x82,0x02,0x07,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+	0xf0,0xbb,0xac,0xc3,0xa1,0x6b,0xf3,0x1c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
+	0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,
+	0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,
+	0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x10,0x30,0x0e,0x06,
+	0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,0x72,0x73,0x61,0x30,0x1e,0x17,
+	0x0d,0x31,0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x17,0x0d,
+	0x31,0x37,0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x30,0x34,0x31,
+	0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,
+	0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,
+	0x6e,0x31,0x10,0x30,0x0e,0x06,0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,
+	0x72,0x73,0x61,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
+	0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,
+	0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc,0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18,
+	0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7,0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea,
+	0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49,0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a,
+	0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e,0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59,
+	0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40,0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39,
+	0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad,0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc,
+	0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30,0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16,
+	0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74,0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6,
+	0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7,0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7,
+	0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89,0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6,
+	0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91,0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25,
+	0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3,0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f,
+	0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6,0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc,
+	0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb,0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a,
+	0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57,0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3,
+	0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed,0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0,
+	0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00,0x01,0xa3,0x34,0x30,0x32,0x30,0x1f,0x06,
+	0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x96,0x0e,0xc8,0xd3,0xb3,0x3f,
+	0xd1,0x11,0xb6,0x36,0x70,0xdb,0x37,0x98,0x3c,0xab,0x69,0x03,0x69,0x56,0x30,0x0f,
+	0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,0x01,0x30,
+	0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
+	0x01,0x01,0x00,0x94,0x1d,0x08,0xda,0x7b,0xc4,0xa3,0xf4,0x40,0x54,0xae,0x45,0x6a,
+	0xb3,0x62,0xb6,0x0b,0x35,0xc7,0x5f,0xed,0xb9,0x42,0x33,0xd5,0x32,0x80,0x23,0x76,
+	0x87,0xae,0x59,0xbb,0x77,0x00,0xc4,0xbf,0x60,0x3b,0x9b,0x04,0x46,0x52,0xde,0x9f,
+	0x16,0xc6,0x96,0x5e,0x7a,0xb5,0xbb,0x49,0x6a,0x89,0x4a,0x60,0x0b,0x85,0x15,0xec,
+	0xbb,0x83,0x79,0x01,0xfa,0x3c,0xd5,0x1e,0x6a,0x75,0xe7,0x93,0xc9,0xc4,0xbb,0xea,
+	0xad,0xa2,0x23,0x32,0xc5,0x57,0x4c,0x41,0xb2,0x41,0x91,0x53,0x5e,0xaf,0x98,0x83,
+	0xcb,0x6b,0xa8,0x2f,0xc8,0x06,0x16,0x18,0x5a,0x75,0xe1,0xee,0xac,0xc0,0x28,0x08,
+	0x0a,0x09,0xd1,0x03,0xba,0x65,0xf1,0x89,0xcc,0x63,0x6f,0xb2,0x70,0xdc,0x46,0x2b,
+	0x62,0x5b,0x64,0xd4,0x7a,0xc4,0x12,0xe2,0x88,0x3a,0x54,0x0a,0xf5,0x1e,0x1c,0x9e,
+	0x9a,0xb2,0x62,0xf9,0xd3,0x02,0xf0,0xc1,0xf0,0x7b,0x4d,0xf3,0x44,0xd8,0x3c,0x13,
+	0x1d,0xfc,0x78,0xa3,0x54,0x68,0xce,0x43,0x31,0x78,0x58,0x2f,0x5d,0xb8,0xa7,0xff,
+	0x54,0xae,0x6e,0x25,0xd7,0x40,0x6c,0x59,0x7b,0x5f,0x18,0x31,0xe9,0xfc,0x53,0x34,
+	0xb2,0xb0,0x18,0xd4,0x2c,0x85,0x9d,0xad,0x2d,0xd2,0x05,0x5d,0x2e,0x47,0xee,0x09,
+	0x3d,0x05,0x2e,0x46,0x66,0xea,0x09,0xb2,0x81,0xd3,0x9b,0x28,0xbf,0xf9,0x9c,0x54,
+	0x98,0xb7,0x2d,0x38,0xd8,0xae,0x03,0x70,0xae,0x1e,0xd4,0xa9,0xb7,0x2e,0xdb,0x02,
+	0x6a,0x84,0x0f,0x6c,0xe8,0xb8,0x25,0x73,0x84,0x13,0x9f,0x34,0x24,0xb8,0xfc,0x96,
+	0x4c,0x91,0xfa,
+};
+
+/**
+ * TLS certificate for ECDSA key
+ */
+static char ecdsa_crt[] = {
+	0x30,0x82,0x01,0xd3,0x30,0x82,0x01,0x59,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+	0xaa,0x92,0xf5,0x39,0x85,0xf5,0xd5,0xa3,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce,
+	0x3d,0x04,0x01,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+	0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,
+	0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,
+	0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,0x64,0x73,0x61,0x30,0x1e,0x17,0x0d,0x31,
+	0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x17,0x0d,0x31,0x37,
+	0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x30,0x36,0x31,0x0b,0x30,
+	0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,
+	0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,
+	0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,
+	0x64,0x73,0x61,0x30,0x76,0x30,0x10,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x02,0x01,
+	0x06,0x05,0x2b,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0xd6,0xba,0xe1,0xf0,0x09,
+	0x22,0x21,0x12,0x69,0xed,0x0e,0xd5,0x02,0x8c,0xb8,0x52,0xbb,0x57,0x68,0x0e,0xf3,
+	0xdb,0xb9,0xb1,0xee,0x9c,0x67,0xa0,0xb8,0xdc,0x13,0x1e,0x5b,0x44,0x71,0x04,0xef,
+	0x4e,0xe3,0xdd,0xf4,0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3,
+	0x5b,0xe6,0xde,0x0a,0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e,
+	0x5b,0x57,0xb0,0x01,0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d,
+	0x9a,0x1c,0x52,0x09,0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97,0xa3,0x34,0x30,0x32,0x30,
+	0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4f,0x1e,0x5d,0x94,
+	0x85,0xe2,0xbc,0x86,0x0e,0x80,0xce,0x17,0x92,0x42,0xb4,0xb8,0x19,0x67,0xb8,0xfe,
+	0x30,0x0f,0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,
+	0x01,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x04,0x01,0x03,0x69,0x00,0x30,
+	0x66,0x02,0x31,0x00,0xdc,0x6e,0x3b,0xe4,0x9f,0x36,0xa5,0xa8,0x88,0x8d,0xcf,0x2d,
+	0xa1,0x6e,0x33,0x68,0x73,0xd6,0x6a,0xd6,0x1d,0x00,0xe5,0x5c,0x76,0x09,0x5e,0xe9,
+	0x7a,0x3a,0x00,0x5e,0xbc,0xef,0x0d,0x8d,0x95,0x5c,0x2b,0xfc,0xa4,0xe3,0xe3,0xcf,
+	0x74,0x95,0x00,0x21,0x02,0x31,0x00,0x8f,0x40,0x3e,0xfc,0xe9,0xae,0x17,0x9b,0x36,
+	0x39,0xe2,0x79,0xa5,0x7b,0x5d,0xe3,0xe0,0x84,0x68,0x7e,0x00,0x57,0xbe,0x4d,0xe3,
+	0x0e,0xff,0x20,0x9c,0xce,0xd1,0x43,0x76,0x00,0x6e,0x59,0x7b,0xac,0x94,0x05,0xef,
+	0xed,0xca,0x8b,0xe5,0x7f,0xa5,0xd7,
+};
+
+START_SETUP(setup_creds)
+{
+	private_key_t *key;
+	certificate_t *cert;
+
+	creds = mem_cred_create();
+
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+							 BUILD_BLOB, chunk_from_thing(rsa), BUILD_END);
+	if (key)
+	{
+		creds->add_key(creds, key);
+	}
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+							 BUILD_BLOB, chunk_from_thing(ecdsa), BUILD_END);
+	if (key)
+	{
+		creds->add_key(creds, key);
+	}
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_BLOB, chunk_from_thing(rsa_crt), BUILD_END);
+	if (cert)
+	{
+		creds->add_cert(creds, TRUE, cert);
+	}
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_BLOB, chunk_from_thing(ecdsa_crt), BUILD_END);
+	if (cert)
+	{
+		creds->add_cert(creds, TRUE, cert);
+	}
+
+	lib->credmgr->add_set(lib->credmgr, &creds->set);
+}
+END_SETUP
+
+START_TEARDOWN(teardown_creds)
+{
+	lib->credmgr->remove_set(lib->credmgr, &creds->set);
+	creds->destroy(creds);
+}
+END_TEARDOWN
+
+/**
+ * Configuration for an echo server
+ */
+typedef struct {
+	tls_version_t version;
+	u_int16_t port;
+	char *addr;
+	chunk_t data;
+	int fd;
+	bool cauth;
+} echo_server_config_t;
+
+/**
+ * Run an echo server
+ */
+static job_requeue_t serve_echo(echo_server_config_t *config)
+{
+	tls_socket_t *tls;
+	int sfd, cfd;
+	identification_t *server, *client = NULL;
+	ssize_t len, total, done;
+	char buf[128];
+
+	server = identification_create_from_string(config->addr);
+	if (config->cauth)
+	{
+		client = server;
+	}
+	sfd = config->fd;
+	while (TRUE)
+	{
+		cfd = accept(sfd, NULL, NULL);
+		if (cfd < 0)
+		{
+			break;
+		}
+
+		tls = tls_socket_create(TRUE, server, client, cfd, NULL,
+								config->version, TRUE);
+		ck_assert(tls != NULL);
+
+		while (TRUE)
+		{
+			len = tls->read(tls, buf, sizeof(buf), TRUE);
+			if (len <= 0)
+			{
+				break;
+			}
+			total = 0;
+			while (total < len)
+			{
+				done = tls->write(tls, buf + total, len - total);
+				ck_assert_msg(done > 0, "%s", strerror(errno));
+				total += done;
+			}
+		}
+
+		tls->destroy(tls);
+		close(cfd);
+	}
+	server->destroy(server);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Start a echo server using config
+ */
+static void start_echo_server(echo_server_config_t *config)
+{
+	host_t *host;
+	int on = 1;
+
+	host = host_create_from_string(config->addr, config->port);
+
+	config->fd = socket(AF_INET, SOCK_STREAM, 0);
+	ck_assert(config->fd != -1);
+	ck_assert(setsockopt(config->fd, SOL_SOCKET, SO_REUSEADDR,
+						 (void*)&on, sizeof(on)) != -1);
+	ck_assert_msg(bind(config->fd, host->get_sockaddr(host),
+				  *host->get_sockaddr_len(host)) != -1, "%s", strerror(errno));
+	host->destroy(host);
+	ck_assert(listen(config->fd, 1) != -1);
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	lib->processor->queue_job(lib->processor, (job_t*)
+				callback_job_create((void*)serve_echo, config, NULL, NULL));
+}
+
+/**
+ * Run client to perform echo test
+ */
+static void run_echo_client(echo_server_config_t *config)
+{
+	tls_socket_t *tls;
+	ssize_t len, rd, wr;
+	int fd;
+	host_t *host;
+	identification_t *server, *client = NULL;
+	char buf[128];
+
+	host = host_create_from_string(config->addr, config->port);
+	server = identification_create_from_string(config->addr);
+	if (config->cauth)
+	{
+		client = server;
+	}
+
+	fd = socket(AF_INET, SOCK_STREAM, 0);
+	ck_assert(fd != -1);
+	ck_assert(connect(fd, host->get_sockaddr(host),
+					  *host->get_sockaddr_len(host)) != -1);
+	tls = tls_socket_create(FALSE, server, client, fd, NULL,
+							config->version, TRUE);
+	ck_assert(tls != NULL);
+
+	wr = rd = 0;
+	while (rd < config->data.len)
+	{
+		len = tls->write(tls, config->data.ptr + wr, config->data.len - wr);
+		ck_assert(len >= 0);
+		wr += len;
+
+		len = tls->read(tls, buf, sizeof(buf), FALSE);
+		if (len == -1 && errno == EWOULDBLOCK)
+		{
+			continue;
+		}
+		if (len == 0)
+		{
+			ck_assert_int_eq(rd, config->data.len);
+			break;
+		}
+		ck_assert(len > 0);
+		ck_assert(rd + len <= config->data.len);
+		ck_assert(memeq(buf, config->data.ptr + rd, len));
+		rd += len;
+	}
+
+	tls->destroy(tls);
+	close(fd);
+	host->destroy(host);
+	server->destroy(server);
+}
+
+/**
+ * Common test wrapper function for different test variants
+ */
+static void test_tls(tls_version_t version, u_int16_t port, bool cauth, u_int i)
+{
+	echo_server_config_t *config;
+	tls_cipher_suite_t *suites;
+	char suite[128];
+	int count;
+
+	INIT(config,
+		.version = version,
+		.addr = "127.0.0.1",
+		.port = port,
+		.cauth = cauth,
+		.data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08),
+	);
+
+	start_echo_server(config);
+
+	count = tls_crypto_get_supported_suites(TRUE, &suites);
+
+	ck_assert(i < count);
+	snprintf(suite, sizeof(suite), "%N", tls_cipher_suite_names, suites[i]);
+	lib->settings->set_str(lib->settings, "%s.tls.suites", suite, lib->ns);
+
+	run_echo_client(config);
+
+	free(suites);
+
+	shutdown(config->fd, SHUT_RDWR);
+	close(config->fd);
+
+	free(config);
+}
+
+START_TEST(test_tls12)
+{
+	test_tls(TLS_1_2, 5671, FALSE, _i);
+}
+END_TEST
+
+START_TEST(test_tls12_mutual)
+{
+	test_tls(TLS_1_2, 5672, TRUE, _i);
+}
+END_TEST
+
+START_TEST(test_tls11)
+{
+	test_tls(TLS_1_1, 5673, FALSE, _i);
+}
+END_TEST
+
+START_TEST(test_tls11_mutual)
+{
+	test_tls(TLS_1_1, 5674, TRUE, _i);
+}
+END_TEST
+
+START_TEST(test_tls10)
+{
+	test_tls(TLS_1_0, 5675, FALSE, _i);
+}
+END_TEST
+
+START_TEST(test_tls10_mutual)
+{
+	test_tls(TLS_1_0, 5676, TRUE, _i);
+}
+END_TEST
+
+Suite *socket_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+	int count;
+
+	count = tls_crypto_get_supported_suites(TRUE, NULL);
+
+	s = suite_create("socket");
+
+	tc = tcase_create("TLS 1.2/anon");
+	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+	tcase_add_loop_test(tc, test_tls12, 0, count);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("TLS 1.2/mutl");
+	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+	tcase_add_loop_test(tc, test_tls12_mutual, 0, count);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("TLS 1.1/anon");
+	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+	tcase_add_loop_test(tc, test_tls11, 0, count);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("TLS 1.1/mutl");
+	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+	tcase_add_loop_test(tc, test_tls11_mutual, 0, count);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("TLS 1.0/anon");
+	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+	tcase_add_loop_test(tc, test_tls10, 0, count);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("TLS 1.0/mutl");
+	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+	tcase_add_loop_test(tc, test_tls10_mutual, 0, count);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libtls/tests/suites/test_suites.c b/src/libtls/tests/suites/test_suites.c
new file mode 100644
index 000000000..f8ae12eb3
--- /dev/null
+++ b/src/libtls/tests/suites/test_suites.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_suite.h>
+
+#include <unistd.h>
+
+#include "tls_crypto.h"
+
+START_TEST(test_cipher_names)
+{
+	char buf[128];
+
+#define CHECK_NAME(x) { \
+	snprintf(buf, sizeof(buf), "%N", tls_cipher_suite_names, x); \
+	ck_assert_str_eq(#x, buf); }
+
+	CHECK_NAME(TLS_NULL_WITH_NULL_NULL);
+	CHECK_NAME(TLS_RSA_WITH_NULL_MD5);
+	CHECK_NAME(TLS_RSA_WITH_NULL_SHA);
+	CHECK_NAME(TLS_RSA_EXPORT_WITH_RC4_40_MD5);
+	CHECK_NAME(TLS_RSA_WITH_RC4_128_MD5);
+	CHECK_NAME(TLS_RSA_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5);
+	CHECK_NAME(TLS_RSA_WITH_IDEA_CBC_SHA);
+	CHECK_NAME(TLS_RSA_EXPORT_WITH_DES40_CBC_SHA);
+	CHECK_NAME(TLS_RSA_WITH_DES_CBC_SHA);
+	CHECK_NAME(TLS_RSA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA);
+	CHECK_NAME(TLS_DH_DSS_WITH_DES_CBC_SHA);
+	CHECK_NAME(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA);
+	CHECK_NAME(TLS_DH_RSA_WITH_DES_CBC_SHA);
+	CHECK_NAME(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA);
+	CHECK_NAME(TLS_DHE_DSS_WITH_DES_CBC_SHA);
+	CHECK_NAME(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_WITH_DES_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_DH_anon_EXPORT_WITH_RC4_40_MD5);
+	CHECK_NAME(TLS_DH_anon_WITH_RC4_128_MD5);
+	CHECK_NAME(TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA);
+	CHECK_NAME(TLS_DH_anon_WITH_DES_CBC_SHA);
+	CHECK_NAME(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_KRB5_WITH_DES_CBC_SHA);
+	CHECK_NAME(TLS_KRB5_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_KRB5_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_KRB5_WITH_IDEA_CBC_SHA);
+	CHECK_NAME(TLS_KRB5_WITH_DES_CBC_MD5);
+	CHECK_NAME(TLS_KRB5_WITH_3DES_EDE_CBC_MD5);
+	CHECK_NAME(TLS_KRB5_WITH_RC4_128_MD5);
+	CHECK_NAME(TLS_KRB5_WITH_IDEA_CBC_MD5);
+	CHECK_NAME(TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA);
+	CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA);
+	CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC4_40_SHA);
+	CHECK_NAME(TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5);
+	CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5);
+	CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC4_40_MD5);
+	CHECK_NAME(TLS_PSK_WITH_NULL_SHA);
+	CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA);
+	CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA);
+	CHECK_NAME(TLS_RSA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_DH_DSS_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_DH_RSA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_DH_anon_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_RSA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_DH_DSS_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_DH_RSA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_DH_anon_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_RSA_WITH_NULL_SHA256);
+	CHECK_NAME(TLS_RSA_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_RSA_WITH_AES_256_CBC_SHA256);
+	CHECK_NAME(TLS_DH_DSS_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_DH_RSA_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA);
+	CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA);
+	CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA);
+	CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA);
+	CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_DH_DSS_WITH_AES_256_CBC_SHA256);
+	CHECK_NAME(TLS_DH_RSA_WITH_AES_256_CBC_SHA256);
+	CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
+	CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256);
+	CHECK_NAME(TLS_DH_anon_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_DH_anon_WITH_AES_256_CBC_SHA256);
+	CHECK_NAME(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA);
+	CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA);
+	CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA);
+	CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA);
+	CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA);
+	CHECK_NAME(TLS_PSK_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_PSK_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_PSK_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_PSK_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_DHE_PSK_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_RSA_PSK_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_RSA_WITH_SEED_CBC_SHA);
+	CHECK_NAME(TLS_DH_DSS_WITH_SEED_CBC_SHA);
+	CHECK_NAME(TLS_DH_RSA_WITH_SEED_CBC_SHA);
+	CHECK_NAME(TLS_DHE_DSS_WITH_SEED_CBC_SHA);
+	CHECK_NAME(TLS_DHE_RSA_WITH_SEED_CBC_SHA);
+	CHECK_NAME(TLS_DH_anon_WITH_SEED_CBC_SHA);
+	CHECK_NAME(TLS_RSA_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_RSA_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_DH_RSA_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_DH_RSA_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_DH_DSS_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_DH_DSS_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_DH_anon_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_DH_anon_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_PSK_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_PSK_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_PSK_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_PSK_WITH_AES_256_CBC_SHA384);
+	CHECK_NAME(TLS_PSK_WITH_NULL_SHA256);
+	CHECK_NAME(TLS_PSK_WITH_NULL_SHA384);
+	CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_CBC_SHA384);
+	CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA256);
+	CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA384);
+	CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_CBC_SHA384);
+	CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA256);
+	CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA384);
+	CHECK_NAME(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+	CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256);
+	CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+	CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256);
+	CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+	CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256);
+	CHECK_NAME(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+	CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256);
+	CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+	CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256);
+	CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+	CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256);
+	CHECK_NAME(TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_NULL_SHA);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_NULL_SHA);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_NULL_SHA);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_NULL_SHA);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_ECDH_anon_WITH_NULL_SHA);
+	CHECK_NAME(TLS_ECDH_anon_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_ECDH_anon_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_ECDH_anon_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
+	CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_RC4_128_SHA);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA256);
+	CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA384);
+}
+END_TEST
+
+Suite *suites_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("suites");
+
+	tc = tcase_create("cipher-names");
+	tcase_add_test(tc, test_cipher_names);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libtls/tests/tls_tests.c b/src/libtls/tests/tls_tests.c
new file mode 100644
index 000000000..2c2c5bacc
--- /dev/null
+++ b/src/libtls/tests/tls_tests.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "tls_tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+	{ .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "tls_tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (init)
+	{
+		plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+		if (!lib->plugins->load(lib->plugins, PLUGINS))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+		lib->plugins->unload(lib->plugins);
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("libtls", tests, test_runner_init);
+}
diff --git a/src/libtls/tests/tls_tests.h b/src/libtls/tests/tls_tests.h
new file mode 100644
index 000000000..489b2ddb1
--- /dev/null
+++ b/src/libtls/tests/tls_tests.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(socket_suite_create)
+TEST_SUITE(suites_suite_create)
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6b51e7593..6e2955814 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -218,14 +218,7 @@ METHOD(tls_t, process, status_t,
 	{
 		if (this->input.len == 0)
 		{
-			if (buflen < sizeof(tls_record_t))
-			{
-				DBG2(DBG_TLS, "received incomplete TLS record header");
-				memcpy(&this->head, buf, buflen);
-				this->headpos = buflen;
-				break;
-			}
-			while (TRUE)
+			while (buflen >= sizeof(tls_record_t))
 			{
 				/* try to process records inline */
 				record = buf;
@@ -252,6 +245,13 @@ METHOD(tls_t, process, status_t,
 					return NEED_MORE;
 				}
 			}
+			if (buflen < sizeof(tls_record_t))
+			{
+				DBG2(DBG_TLS, "received incomplete TLS record header");
+				memcpy(&this->head, buf, buflen);
+				this->headpos = buflen;
+				break;
+			}
 		}
 		len = min(buflen, this->input.len - this->inpos);
 		memcpy(this->input.ptr + this->inpos, buf, len);
@@ -447,6 +447,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 		case TLS_PURPOSE_EAP_TTLS:
 		case TLS_PURPOSE_EAP_PEAP:
 		case TLS_PURPOSE_GENERIC:
+		case TLS_PURPOSE_GENERIC_NULLOK:
 			break;
 		default:
 			return NULL;
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index db332fbbf..fc1d9b9fd 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -107,6 +107,8 @@ enum tls_purpose_t {
 	TLS_PURPOSE_EAP_PEAP,
 	/** non-EAP TLS */
 	TLS_PURPOSE_GENERIC,
+	/** non-EAP TLS accepting NULL encryption */
+	TLS_PURPOSE_GENERIC_NULLOK,
 	/** EAP binding for TNC */
 	TLS_PURPOSE_EAP_TNC
 };
diff --git a/src/libtls/tls_aead.c b/src/libtls/tls_aead.c
new file mode 100644
index 000000000..1d0779dc0
--- /dev/null
+++ b/src/libtls/tls_aead.c
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+#include <crypto/iv/iv_gen_rand.h>
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+	/**
+	 * Public tls_aead_t interface.
+	 */
+	tls_aead_t public;
+
+	/**
+	 * AEAD transform
+	 */
+	aead_t *aead;
+
+	/**
+	 * Size of salt, the implicit nonce
+	 */
+	size_t salt;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+	u_int64_t seq;
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, encrypted, iv, plain;
+	u_int8_t icvlen;
+	sigheader_t hdr;
+	iv_gen_t *gen;
+
+	gen = this->aead->get_iv_gen(this->aead);
+	iv.len = this->aead->get_iv_size(this->aead);
+	icvlen = this->aead->get_icv_size(this->aead);
+
+	encrypted = chunk_alloc(iv.len + data->len + icvlen);
+	iv.ptr = encrypted.ptr;
+	if (!gen->get_iv(gen, seq, iv.len, iv.ptr))
+	{
+		chunk_free(&encrypted);
+		return FALSE;
+	}
+	memcpy(encrypted.ptr + iv.len, data->ptr, data->len);
+	plain = chunk_skip(encrypted, iv.len);
+	plain.len -= icvlen;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, plain.len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->aead->encrypt(this->aead, plain, assoc, iv, NULL))
+	{
+		return FALSE;
+	}
+	chunk_free(data);
+	*data = encrypted;
+	return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, iv;
+	u_int8_t icvlen;
+	sigheader_t hdr;
+
+	iv.len = this->aead->get_iv_size(this->aead);
+	if (data->len < iv.len)
+	{
+		return FALSE;
+	}
+	iv.ptr = data->ptr;
+	*data = chunk_skip(*data, iv.len);
+	icvlen = this->aead->get_icv_size(this->aead);
+	if (data->len < icvlen)
+	{
+		return FALSE;
+	}
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len - icvlen);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->aead->decrypt(this->aead, *data, assoc, iv, NULL))
+	{
+		return FALSE;
+	}
+	data->len -= icvlen;
+	return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return 0;
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->aead->get_key_size(this->aead) - this->salt;
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->salt;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+	chunk_t key;
+
+	if (mac.len)
+	{
+		return FALSE;
+	}
+	key = chunk_cata("cc", encr, iv);
+	return this->aead->set_key(this->aead, key);
+}
+
+METHOD(tls_aead_t, destroy, void,
+	private_tls_aead_t *this)
+{
+	this->aead->destroy(this->aead);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size)
+{
+	private_tls_aead_t *this;
+	size_t salt;
+
+	switch (encr)
+	{
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
+			salt = 4;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_mac_key_size = _get_mac_key_size,
+			.get_encr_key_size = _get_encr_key_size,
+			.get_iv_size = _get_iv_size,
+			.set_keys = _set_keys,
+			.destroy = _destroy,
+		},
+		.aead = lib->crypto->create_aead(lib->crypto, encr, encr_size, salt),
+		.salt = salt,
+	);
+
+	if (!this->aead)
+	{
+		free(this);
+		return NULL;
+	}
+
+	if (this->aead->get_block_size(this->aead) != 1)
+	{	/* TLS does not define any padding scheme for AEAD */
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_aead.h b/src/libtls/tls_aead.h
new file mode 100644
index 000000000..1d5ba92b5
--- /dev/null
+++ b/src/libtls/tls_aead.h
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_aead tls_aead
+ * @{ @ingroup tls
+ */
+
+#ifndef TLS_AEAD_H_
+#define TLS_AEAD_H_
+
+typedef struct tls_aead_t tls_aead_t;
+
+#include "tls.h"
+
+/**
+ * TLS specific AEAD interface, includes padding.
+ *
+ * As TLS uses sign-then-encrypt instead of the more modern encrypt-then-sign,
+ * we can't directly abstract traditional transforms using our aead_t interface.
+ * With traditional transforms, the AEAD operation has to manage padding, as
+ * the MAC is calculated over unpadded data.
+ */
+struct tls_aead_t {
+
+	/**
+	 * Encrypt and sign a TLS record.
+	 *
+	 * The plain data chunk gets freed on success, and the data chunk
+	 * gets updated with a new allocation of the encrypted data.
+	 * If next_iv is given, it must contain the IV for this operation. It
+	 * gets updated to the IV for the next record.
+	 *
+	 * @param version		TLS version
+	 * @param type			TLS content type
+	 * @param seq			record sequence number
+	 * @param data			data to encrypt, encryption result
+	 * @return				TRUE if successfully encrypted
+	 */
+	bool (*encrypt)(tls_aead_t *this, tls_version_t version,
+					tls_content_type_t type, u_int64_t seq, chunk_t *data);
+
+	/**
+	 * Decrypt and verify a TLS record.
+	 *
+	 * The passed encrypted data chunk gets updated to the decrypted record
+	 * length, decryption is done inline.
+	 *
+	 * @param version		TLS version
+	 * @param type			TLS content type
+	 * @param seq			record sequence number
+	 * @param data			data to decrypt, decrypted result
+	 * @return				TRUE if successfully decrypted
+	 */
+	bool (*decrypt)(tls_aead_t *this, tls_version_t version,
+					tls_content_type_t type, u_int64_t seq, chunk_t *data);
+
+	/**
+	 * Get the authentication key size.
+	 *
+	 * @return		key size, in bytes, 0 if not used
+	 */
+	size_t (*get_mac_key_size)(tls_aead_t *this);
+
+	/**
+	 * Get the encrytion key size, if used.
+	 *
+	 * @return		key size, in bytes, 0 if not used
+	 */
+	size_t (*get_encr_key_size)(tls_aead_t *this);
+
+	/**
+	 * Get the size of implicit IV (or AEAD salt), if used.
+	 *
+	 * @return		IV/salt size, in bytes, 0 if not used
+	 */
+	size_t (*get_iv_size)(tls_aead_t *this);
+
+	/**
+	 * Set the keys used by an AEAD transform.
+	 *
+	 * @param mac		authentication key, if used
+	 * @param encr		encryption key, if used
+	 * @param iv		initial implicit IV or AEAD salt, if any
+	 * @return			TRUE if key valid and set
+	 */
+	bool (*set_keys)(tls_aead_t *this, chunk_t mac, chunk_t ecnr, chunk_t iv);
+
+	/**
+	 * Destroy a tls_aead_t.
+	 */
+	void (*destroy)(tls_aead_t *this);
+};
+
+/**
+ * Create a tls_aead instance using traditional transforms, explicit IV.
+ *
+ * An explicit IV means that the IV is prepended to each TLS record. This is
+ * the mechanism used in TLS 1.1 and newer.
+ *
+ * @param mac			integrity protection algorithm
+ * @param encr			encryption algorithm
+ * @param encr_size		encryption key size, in bytes
+ * @return				TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
+								encryption_algorithm_t encr, size_t encr_size);
+
+/**
+ * Create a tls_aead instance using traditional transforms, implicit IV.
+ *
+ * An implicit IV uses a first IV derived from the TLS keymat, which then
+ * gets replaced by the last encrypted records tail. This is the mechanism
+ * used for TLS 1.0 and older.
+ *
+ * @param mac			integrity protection algorithm
+ * @param encr			encryption algorithm
+ * @param encr_size		encryption key size, in bytes
+ * @return				TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
+								encryption_algorithm_t encr, size_t encr_size);
+
+/**
+ * Create a tls_aead instance using NULL encryption.
+ *
+ * As no IV is involved with null encryption, this AEAD works with any
+ * version of TLS.
+ *
+ * @param mac			integrity protection algorithm
+ * @return				TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_null(integrity_algorithm_t mac);
+
+/**
+ * Create a tls_aead instance using real a AEAD cipher.
+ *
+ * @param encr			AEAD encryption algorithm
+ * @param encr_size		encryption key size, in bytes
+ * @return				TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size);
+
+#endif /** TLS_AEAD_H_ @}*/
diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c
new file mode 100644
index 000000000..5e4d33e14
--- /dev/null
+++ b/src/libtls/tls_aead_expl.c
@@ -0,0 +1,222 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+#include <crypto/iv/iv_gen_rand.h>
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+	/**
+	 * Public tls_aead_t interface.
+	 */
+	tls_aead_t public;
+
+	/**
+	 * traditional crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * traditional signer
+	 */
+	signer_t *signer;
+
+	/**
+	 * IV generator
+	 */
+	iv_gen_t *iv_gen;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+	u_int64_t seq;
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac, padding, iv;
+	u_int8_t bs, padlen;
+	sigheader_t hdr;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->allocate_signature(this->signer, *data, &mac))
+	{
+		return FALSE;
+	}
+	bs = this->crypter->get_block_size(this->crypter);
+	padlen = pad_len(data->len + mac.len + 1, bs);
+
+	padding = chunk_alloca(padlen);
+	memset(padding.ptr, padlen, padding.len);
+
+	/* TLSv1.1 uses random IVs, prepended to record */
+	iv.len = this->crypter->get_iv_size(this->crypter);
+	iv = chunk_alloca(iv.len);
+	if (!this->iv_gen->get_iv(this->iv_gen, seq, iv.len, iv.ptr))
+	{
+		return FALSE;
+	}
+	*data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
+	/* encrypt inline */
+	if (!this->crypter->encrypt(this->crypter, *data, iv, NULL))
+	{
+		free(data->ptr);
+		return FALSE;
+	}
+	/* prepend IV */
+	*data = chunk_cat("cm", iv, *data);
+	return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac, iv;
+	u_int8_t bs, padlen;
+	sigheader_t hdr;
+
+	iv.len = this->crypter->get_iv_size(this->crypter);
+	if (data->len < iv.len)
+	{
+		return FALSE;
+	}
+	iv.ptr = data->ptr;
+	*data = chunk_skip(*data, iv.len);
+	bs = this->crypter->get_block_size(this->crypter);
+	if (data->len < bs || data->len % bs)
+	{
+		return FALSE;
+	}
+	if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
+	{
+		return FALSE;
+	}
+	padlen = data->ptr[data->len - 1];
+	if (padlen < data->len)
+	{	/* If padding looks valid, remove it */
+		data->len -= padlen + 1;
+	}
+
+	bs = this->signer->get_block_size(this->signer);
+	if (data->len < bs)
+	{
+		return FALSE;
+	}
+	mac = chunk_skip(*data, data->len - bs);
+	data->len -= bs;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->verify_signature(this->signer, *data, mac))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+	private_tls_aead_t *this)
+{
+	return 0;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+	if (iv.len)
+	{
+		return FALSE;
+	}
+	return this->signer->set_key(this->signer, mac) &&
+		   this->crypter->set_key(this->crypter, encr);
+}
+
+METHOD(tls_aead_t, destroy, void,
+	private_tls_aead_t *this)
+{
+	this->iv_gen->destroy(this->iv_gen);
+	DESTROY_IF(this->crypter);
+	DESTROY_IF(this->signer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
+								encryption_algorithm_t encr, size_t encr_size)
+{
+	private_tls_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_mac_key_size = _get_mac_key_size,
+			.get_encr_key_size = _get_encr_key_size,
+			.get_iv_size = _get_iv_size,
+			.set_keys = _set_keys,
+			.destroy = _destroy,
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
+		.signer = lib->crypto->create_signer(lib->crypto, mac),
+		.iv_gen = iv_gen_rand_create(),
+	);
+
+	if (!this->crypter || !this->signer)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c
new file mode 100644
index 000000000..fb14026e0
--- /dev/null
+++ b/src/libtls/tls_aead_impl.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+	/**
+	 * Public tls_aead_t interface.
+	 */
+	tls_aead_t public;
+
+	/**
+	 * traditional crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * traditional signer
+	 */
+	signer_t *signer;
+
+	/**
+	 * Next implicit IV
+	 */
+	chunk_t iv;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+	u_int64_t seq;
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+	private_tls_aead_t *this, tls_version_t version,
+	tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac, padding;
+	u_int8_t bs, padlen;
+	sigheader_t hdr;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->allocate_signature(this->signer, *data, &mac))
+	{
+		return FALSE;
+	}
+	bs = this->crypter->get_block_size(this->crypter);
+	padlen = pad_len(data->len + mac.len + 1, bs);
+
+	padding = chunk_alloca(padlen);
+	memset(padding.ptr, padlen, padding.len);
+
+	*data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
+	/* encrypt inline */
+	if (!this->crypter->encrypt(this->crypter, *data, this->iv, NULL))
+	{
+		return FALSE;
+	}
+	if (data->len < this->iv.len)
+	{
+		return FALSE;
+	}
+	/* next record IV is last ciphertext block of this record */
+	memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
+	return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+	private_tls_aead_t *this, tls_version_t version,
+	tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac, iv;
+	u_int8_t bs, padlen;
+	sigheader_t hdr;
+
+	bs = this->crypter->get_block_size(this->crypter);
+	if (data->len < bs || data->len < this->iv.len || data->len % bs)
+	{
+		return FALSE;
+	}
+	iv = chunk_alloca(this->iv.len);
+	memcpy(iv.ptr, this->iv.ptr, this->iv.len);
+	memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
+	if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
+	{
+		return FALSE;
+	}
+	padlen = data->ptr[data->len - 1];
+	if (padlen < data->len)
+	{	/* If padding looks valid, remove it */
+		data->len -= padlen + 1;
+	}
+
+	bs = this->signer->get_block_size(this->signer);
+	if (data->len < bs)
+	{
+		return FALSE;
+	}
+	mac = chunk_skip(*data, data->len - bs);
+	data->len -= bs;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->verify_signature(this->signer, *data, mac))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->iv.len;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+	if (iv.len != this->iv.len)
+	{
+		return FALSE;
+	}
+	memcpy(this->iv.ptr, iv.ptr, this->iv.len);
+	return this->signer->set_key(this->signer, mac) &&
+		   this->crypter->set_key(this->crypter, encr);
+}
+
+METHOD(tls_aead_t, destroy, void,
+	private_tls_aead_t *this)
+{
+	DESTROY_IF(this->crypter);
+	DESTROY_IF(this->signer);
+	chunk_free(&this->iv);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
+								encryption_algorithm_t encr, size_t encr_size)
+{
+	private_tls_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_mac_key_size = _get_mac_key_size,
+			.get_encr_key_size = _get_encr_key_size,
+			.get_iv_size = _get_iv_size,
+			.set_keys = _set_keys,
+			.destroy = _destroy,
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
+		.signer = lib->crypto->create_signer(lib->crypto, mac),
+	);
+
+	if (!this->crypter || !this->signer)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	this->iv = chunk_alloc(this->crypter->get_iv_size(this->crypter));
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_aead_null.c b/src/libtls/tls_aead_null.c
new file mode 100644
index 000000000..595b64000
--- /dev/null
+++ b/src/libtls/tls_aead_null.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+	/**
+	 * Public tls_aead_t interface.
+	 */
+	tls_aead_t public;
+
+	/**
+	 * traditional signer
+	 */
+	signer_t *signer;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+	u_int64_t seq;
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+	private_tls_aead_t *this, tls_version_t version,
+	tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac;
+	sigheader_t hdr;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->allocate_signature(this->signer, *data, &mac))
+	{
+		return FALSE;
+	}
+	*data = chunk_cat("mm", *data, mac);
+	return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+	private_tls_aead_t *this, tls_version_t version,
+	tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac;
+	sigheader_t hdr;
+
+	mac.len = this->signer->get_block_size(this->signer);
+	if (data->len < mac.len)
+	{
+		return FALSE;
+	}
+	mac = chunk_skip(*data, data->len - mac.len);
+	data->len -= mac.len;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->verify_signature(this->signer, *data, mac))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return 0;
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+	private_tls_aead_t *this)
+{
+	return 0;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+	if (iv.len || encr.len)
+	{
+		return FALSE;
+	}
+	return this->signer->set_key(this->signer, mac);
+}
+
+METHOD(tls_aead_t, destroy, void,
+	private_tls_aead_t *this)
+{
+	this->signer->destroy(this->signer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_null(integrity_algorithm_t alg)
+{
+	private_tls_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_mac_key_size = _get_mac_key_size,
+			.get_encr_key_size = _get_encr_key_size,
+			.get_iv_size = _get_iv_size,
+			.set_keys = _set_keys,
+			.destroy = _destroy,
+		},
+		.signer = lib->crypto->create_signer(lib->crypto, alg),
+	);
+
+	if (!this->signer)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index cc73ebaeb..4f67b20d6 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -16,6 +16,7 @@
 #include "tls_crypto.h"
 
 #include <utils/debug.h>
+#include <plugins/plugin_feature.h>
 
 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
 								   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
@@ -80,7 +81,7 @@ ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
 	"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
 	"TLS_DH_anon_WITH_AES_256_CBC_SHA",
 	"TLS_RSA_WITH_NULL_SHA256",
-	"TLS_RSA_WITH_AES_128_CBC_SHA256 ",
+	"TLS_RSA_WITH_AES_128_CBC_SHA256",
 	"TLS_RSA_WITH_AES_256_CBC_SHA256",
 	"TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
 	"TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
@@ -111,13 +112,13 @@ ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
 	"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
 	"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
 	"TLS_PSK_WITH_RC4_128_SHA",
-	"TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
+	"TLS_PSK_WITH_3DES_EDE_CBC_SHA",
 	"TLS_PSK_WITH_AES_128_CBC_SHA",
 	"TLS_PSK_WITH_AES_256_CBC_SHA",
 	"TLS_DHE_PSK_WITH_RC4_128_SHA",
 	"TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
 	"TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
-	"TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
+	"TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
 	"TLS_RSA_PSK_WITH_RC4_128_SHA",
 	"TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
 	"TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
@@ -385,34 +386,14 @@ struct private_tls_crypto_t {
 	tls_prf_t *prf;
 
 	/**
-	 * Signer instance for inbound traffic
+	 * AEAD transform for inbound traffic
 	 */
-	signer_t *signer_in;
+	tls_aead_t *aead_in;
 
 	/**
-	 * Signer instance for outbound traffic
+	 * AEAD transform for outbound traffic
 	 */
-	signer_t *signer_out;
-
-	/**
-	 * Crypter instance for inbound traffic
-	 */
-	crypter_t *crypter_in;
-
-	/**
-	 * Crypter instance for outbound traffic
-	 */
-	crypter_t *crypter_out;
-
-	/**
-	 * IV for input decryption, if < TLSv1.2
-	 */
-	chunk_t iv_in;
-
-	/**
-	 * IV for output decryption, if < TLSv1.2
-	 */
-	chunk_t iv_out;
+	tls_aead_t *aead_out;
 
 	/**
 	 * EAP-[T]TLS MSK
@@ -460,6 +441,16 @@ static suite_algs_t suite_algs[] = {
 		HASH_SHA384, PRF_HMAC_SHA2_384,
 		AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
 	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		KEY_ECDSA, ECP_384_BIT,
+		HASH_SHA384, PRF_HMAC_SHA2_384,
+		AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
+	},
 	{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 		KEY_RSA, ECP_256_BIT,
 		HASH_SHA256, PRF_HMAC_SHA2_256,
@@ -480,6 +471,16 @@ static suite_algs_t suite_algs[] = {
 		HASH_SHA384, PRF_HMAC_SHA2_384,
 		AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
 	},
+	{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		KEY_RSA, ECP_256_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		KEY_RSA, ECP_384_BIT,
+		HASH_SHA384, PRF_HMAC_SHA2_384,
+		AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
+	},
 	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
 		KEY_RSA, MODP_2048_BIT,
 		HASH_SHA256,PRF_HMAC_SHA2_256,
@@ -500,6 +501,16 @@ static suite_algs_t suite_algs[] = {
 		HASH_SHA256, PRF_HMAC_SHA2_256,
 		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
 	},
+	{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
+	},
+	{ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+		KEY_RSA, MODP_4096_BIT,
+		HASH_SHA384, PRF_HMAC_SHA2_384,
+		AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
+	},
 	{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
 		KEY_RSA, MODP_2048_BIT,
 		HASH_SHA256, PRF_HMAC_SHA2_256,
@@ -545,6 +556,16 @@ static suite_algs_t suite_algs[] = {
 		HASH_SHA256, PRF_HMAC_SHA2_256,
 		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
 	},
+	{ TLS_RSA_WITH_AES_128_GCM_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
+	},
+	{ TLS_RSA_WITH_AES_256_GCM_SHA384,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA384, PRF_HMAC_SHA2_384,
+		AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
+	},
 	{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
 		KEY_RSA, MODP_NONE,
 		HASH_SHA256, PRF_HMAC_SHA2_256,
@@ -627,8 +648,7 @@ static suite_algs_t *find_suite(tls_cipher_suite_t suite)
 /**
  * Filter a suite list using a transform enumerator
  */
-static void filter_suite(private_tls_crypto_t *this,
-						 suite_algs_t suites[], int *count, int offset,
+static void filter_suite(suite_algs_t suites[], int *count, int offset,
 						 enumerator_t*(*create_enumerator)(crypto_factory_t*))
 {
 	const char *plugin_name;
@@ -641,21 +661,56 @@ static void filter_suite(private_tls_crypto_t *this,
 
 	for (i = 0; i < *count; i++)
 	{
+		if (create_enumerator == lib->crypto->create_crypter_enumerator &&
+			encryption_algorithm_is_aead(suites[i].encr))
+		{	/* filtering crypters, but current suite uses an AEAD, apply */
+			suites[remaining] = suites[i];
+			remaining++;
+			continue;
+		}
+		if (create_enumerator == lib->crypto->create_aead_enumerator &&
+			!encryption_algorithm_is_aead(suites[i].encr))
+		{	/* filtering AEADs, but current suite doesn't use one, apply */
+			suites[remaining] = suites[i];
+			remaining++;
+			continue;
+		}
 		enumerator = create_enumerator(lib->crypto);
 		while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
 		{
-			if ((suites[i].encr == ENCR_NULL ||
-				 !current.encr || current.encr == suites[i].encr) &&
-				(!current.mac  || current.mac  == suites[i].mac) &&
-				(!current.prf  || current.prf  == suites[i].prf) &&
-				(!current.hash || current.hash == suites[i].hash) &&
-				(suites[i].dh == MODP_NONE ||
-				 !current.dh   || current.dh   == suites[i].dh))
+			if (current.encr && current.encr != suites[i].encr)
 			{
-				suites[remaining] = suites[i];
-				remaining++;
-				break;
+				if (suites[i].encr != ENCR_NULL)
+				{	/* skip, ENCR does not match nor is NULL */
+					continue;
+				}
 			}
+			if (current.mac && current.mac != suites[i].mac)
+			{
+				if (suites[i].mac != AUTH_UNDEFINED)
+				{	/* skip, MAC does not match nor is it undefined */
+					continue;
+				}
+			}
+			if (current.prf && current.prf != suites[i].prf)
+			{	/* skip, PRF does not match */
+				continue;
+			}
+			if (current.hash && current.hash != suites[i].hash)
+			{	/* skip, hash does not match */
+				continue;
+			}
+			if (current.dh && current.dh != suites[i].dh)
+			{
+				if (suites[i].dh != MODP_NONE)
+				{	/* skip DH group, does not match nor NONE */
+					continue;
+				}
+			}
+			/* suite supported, apply */
+			suites[remaining] = suites[i];
+			remaining++;
+			break;
 		}
 		enumerator->destroy(enumerator);
 	}
@@ -665,8 +720,7 @@ static void filter_suite(private_tls_crypto_t *this,
 /**
  * Purge NULL encryption cipher suites from list
  */
-static void filter_null_suites(private_tls_crypto_t *this,
-							   suite_algs_t suites[], int *count)
+static void filter_null_suites(suite_algs_t suites[], int *count)
 {
 	int i, remaining = 0;
 
@@ -789,6 +843,20 @@ static void filter_cipher_config_suites(private_tls_crypto_t *this,
 					suites[remaining++] = suites[i];
 					break;
 				}
+				if (strcaseeq(token, "aes128gcm") &&
+					suites[i].encr == ENCR_AES_GCM_ICV16 &&
+					suites[i].encr_size == 16)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "aes256gcm") &&
+					suites[i].encr == ENCR_AES_GCM_ICV16 &&
+					suites[i].encr_size == 32)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
 				if (strcaseeq(token, "camellia128") &&
 					suites[i].encr == ENCR_CAMELLIA_CBC &&
 					suites[i].encr_size == 16)
@@ -905,6 +973,26 @@ static void filter_specific_config_suites(private_tls_crypto_t *this,
 }
 
 /**
+ * Filter out unsupported suites on given suite array
+ */
+static void filter_unsupported_suites(suite_algs_t suites[], int *count)
+{
+	/* filter suite list by each algorithm */
+	filter_suite(suites, count, offsetof(suite_algs_t, encr),
+				 lib->crypto->create_crypter_enumerator);
+	filter_suite(suites, count, offsetof(suite_algs_t, encr),
+				 lib->crypto->create_aead_enumerator);
+	filter_suite(suites, count, offsetof(suite_algs_t, mac),
+				 lib->crypto->create_signer_enumerator);
+	filter_suite(suites, count, offsetof(suite_algs_t, prf),
+				 lib->crypto->create_prf_enumerator);
+	filter_suite(suites, count, offsetof(suite_algs_t, hash),
+				 lib->crypto->create_hasher_enumerator);
+	filter_suite(suites, count, offsetof(suite_algs_t, dh),
+				 lib->crypto->create_dh_enumerator);
+}
+
+/**
  * Initialize the cipher suite list
  */
 static void build_cipher_suite_list(private_tls_crypto_t *this,
@@ -918,9 +1006,10 @@ static void build_cipher_suite_list(private_tls_crypto_t *this,
 	{
 		suites[i] = suite_algs[i];
 	}
+
 	if (require_encryption)
 	{
-		filter_null_suites(this, suites, &count);
+		filter_null_suites(suites, &count);
 	}
 	if (!this->rsa)
 	{
@@ -931,17 +1020,7 @@ static void build_cipher_suite_list(private_tls_crypto_t *this,
 		filter_key_suites(this, suites, &count, KEY_ECDSA);
 	}
 
-	/* filter suite list by each algorithm */
-	filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
-				 lib->crypto->create_crypter_enumerator);
-	filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
-				 lib->crypto->create_signer_enumerator);
-	filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
-				 lib->crypto->create_prf_enumerator);
-	filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
-				 lib->crypto->create_hasher_enumerator);
-	filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
-				 lib->crypto->create_dh_enumerator);
+	filter_unsupported_suites(suites, &count);
 
 	/* filter suites with strongswan.conf options */
 	filter_key_exchange_config_suites(this, suites, &count);
@@ -969,10 +1048,82 @@ METHOD(tls_crypto_t, get_cipher_suites, int,
 }
 
 /**
+ * Create NULL encryption transforms
+ */
+static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+	this->aead_in = tls_aead_create_null(algs->mac);
+	this->aead_out = tls_aead_create_null(algs->mac);
+	if (!this->aead_in || !this->aead_out)
+	{
+		DBG1(DBG_TLS, "selected TLS MAC %N not supported",
+			 integrity_algorithm_names, algs->mac);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Create traditional transforms
+ */
+static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+	if (this->tls->get_version(this->tls) < TLS_1_1)
+	{
+		this->aead_in = tls_aead_create_implicit(algs->mac,
+								algs->encr, algs->encr_size);
+		this->aead_out = tls_aead_create_implicit(algs->mac,
+								algs->encr, algs->encr_size);
+	}
+	else
+	{
+		this->aead_in = tls_aead_create_explicit(algs->mac,
+								algs->encr, algs->encr_size);
+		this->aead_out = tls_aead_create_explicit(algs->mac,
+								algs->encr, algs->encr_size);
+	}
+	if (!this->aead_in || !this->aead_out)
+	{
+		DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
+			 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
+			 integrity_algorithm_names, algs->mac);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Create AEAD transforms
+ */
+static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+	this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
+	this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
+	if (!this->aead_in || !this->aead_out)
+	{
+		DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
+			 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Clean up and unset AEAD transforms
+ */
+static void destroy_aeads(private_tls_crypto_t *this)
+{
+	DESTROY_IF(this->aead_in);
+	DESTROY_IF(this->aead_out);
+	this->aead_in = this->aead_out = NULL;
+}
+
+/**
  * Create crypto primitives
  */
 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
 {
+	destroy_aeads(this);
 	DESTROY_IF(this->prf);
 	if (this->tls->get_version(this->tls) < TLS_1_2)
 	{
@@ -987,38 +1138,29 @@ static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
 		DBG1(DBG_TLS, "selected TLS PRF not supported");
 		return FALSE;
 	}
-
-	DESTROY_IF(this->signer_in);
-	DESTROY_IF(this->signer_out);
-	this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
-	this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
-	if (!this->signer_in || !this->signer_out)
+	if (algs->encr == ENCR_NULL)
 	{
-		DBG1(DBG_TLS, "selected TLS MAC %N not supported",
-			 integrity_algorithm_names, algs->mac);
-		return FALSE;
+		if (create_null(this, algs))
+		{
+			return TRUE;
+		}
 	}
-
-	DESTROY_IF(this->crypter_in);
-	DESTROY_IF(this->crypter_out);
-	if (algs->encr == ENCR_NULL)
+	else if (encryption_algorithm_is_aead(algs->encr))
 	{
-		this->crypter_in = this->crypter_out = NULL;
+		if (create_aead(this, algs))
+		{
+			return TRUE;
+		}
 	}
 	else
 	{
-		this->crypter_in = lib->crypto->create_crypter(lib->crypto,
-												algs->encr, algs->encr_size);
-		this->crypter_out = lib->crypto->create_crypter(lib->crypto,
-												algs->encr, algs->encr_size);
-		if (!this->crypter_in || !this->crypter_out)
+		if (create_traditional(this, algs))
 		{
-			DBG1(DBG_TLS, "selected TLS crypter %N not supported",
-				 encryption_algorithm_names, algs->encr);
-			return FALSE;
+			return TRUE;
 		}
 	}
-	return TRUE;
+	destroy_aeads(this);
+	return FALSE;
 }
 
 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
@@ -1065,54 +1207,52 @@ METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
 	return MODP_NONE;
 }
 
+/**
+ * Map signature schemes to TLS key types and hashes, ordered by preference
+ */
+static struct {
+	tls_signature_algorithm_t sig;
+	tls_hash_algorithm_t hash;
+	signature_scheme_t scheme;
+} schemes[] = {
+	{ TLS_SIG_ECDSA,	TLS_HASH_SHA256,	SIGN_ECDSA_WITH_SHA256_DER	},
+	{ TLS_SIG_ECDSA,	TLS_HASH_SHA384,	SIGN_ECDSA_WITH_SHA384_DER	},
+	{ TLS_SIG_ECDSA,	TLS_HASH_SHA512,	SIGN_ECDSA_WITH_SHA512_DER	},
+	{ TLS_SIG_ECDSA,	TLS_HASH_SHA1,		SIGN_ECDSA_WITH_SHA1_DER	},
+	{ TLS_SIG_RSA,		TLS_HASH_SHA256,	SIGN_RSA_EMSA_PKCS1_SHA256	},
+	{ TLS_SIG_RSA,		TLS_HASH_SHA384,	SIGN_RSA_EMSA_PKCS1_SHA384	},
+	{ TLS_SIG_RSA,		TLS_HASH_SHA512,	SIGN_RSA_EMSA_PKCS1_SHA512	},
+	{ TLS_SIG_RSA,		TLS_HASH_SHA224,	SIGN_RSA_EMSA_PKCS1_SHA224	},
+	{ TLS_SIG_RSA,		TLS_HASH_SHA1,		SIGN_RSA_EMSA_PKCS1_SHA1	},
+	{ TLS_SIG_RSA,		TLS_HASH_MD5,		SIGN_RSA_EMSA_PKCS1_MD5		},
+};
+
 METHOD(tls_crypto_t, get_signature_algorithms, void,
 	private_tls_crypto_t *this, bio_writer_t *writer)
 {
 	bio_writer_t *supported;
-	enumerator_t *enumerator;
-	hash_algorithm_t alg;
-	tls_hash_algorithm_t hash;
-	const char *plugin_name;
+	int i;
 
 	supported = bio_writer_create(32);
-	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &alg, &plugin_name))
+
+	for (i = 0; i < countof(schemes); i++)
 	{
-		switch (alg)
+		if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
 		{
-			case HASH_MD5:
-				hash = TLS_HASH_MD5;
-				break;
-			case HASH_SHA1:
-				hash = TLS_HASH_SHA1;
-				break;
-			case HASH_SHA224:
-				hash = TLS_HASH_SHA224;
-				break;
-			case HASH_SHA256:
-				hash = TLS_HASH_SHA256;
-				break;
-			case HASH_SHA384:
-				hash = TLS_HASH_SHA384;
-				break;
-			case HASH_SHA512:
-				hash = TLS_HASH_SHA512;
-				break;
-			default:
-				continue;
+			continue;
 		}
-		if (this->rsa)
+		if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
 		{
-			supported->write_uint8(supported, hash);
-			supported->write_uint8(supported, TLS_SIG_RSA);
+			continue;
 		}
-		if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
-		{	/* currently we have no signature scheme for MD5/SHA224 */
-			supported->write_uint8(supported, hash);
-			supported->write_uint8(supported, TLS_SIG_ECDSA);
+		if (!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
+		{
+			continue;
 		}
+		supported->write_uint8(supported, schemes[i].hash);
+		supported->write_uint8(supported, schemes[i].sig);
 	}
-	enumerator->destroy(enumerator);
 
 	supported->wrap16(supported);
 	writer->write_data16(writer, supported->get_buf(supported));
@@ -1120,6 +1260,29 @@ METHOD(tls_crypto_t, get_signature_algorithms, void,
 }
 
 /**
+ * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
+ */
+static signature_scheme_t hashsig_to_scheme(key_type_t type,
+											tls_hash_algorithm_t hash,
+											tls_signature_algorithm_t sig)
+{
+	int i;
+
+	if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
+		(sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
+	{
+		for (i = 0; i < countof(schemes); i++)
+		{
+			if (schemes[i].sig == sig && schemes[i].hash == hash)
+			{
+				return schemes[i].scheme;
+			}
+		}
+	}
+	return SIGN_UNKNOWN;
+}
+
+/**
  * Mapping groups to TLS named curves
  */
 static struct {
@@ -1236,59 +1399,6 @@ static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
 	return TRUE;
 }
 
-/**
- * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
- */
-static signature_scheme_t hashsig_to_scheme(key_type_t type,
-					tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
-{
-	switch (sig)
-	{
-		case TLS_SIG_RSA:
-			if (type != KEY_RSA)
-			{
-				return SIGN_UNKNOWN;
-			}
-			switch (hash)
-			{
-				case TLS_HASH_MD5:
-					return SIGN_RSA_EMSA_PKCS1_MD5;
-				case TLS_HASH_SHA1:
-					return SIGN_RSA_EMSA_PKCS1_SHA1;
-				case TLS_HASH_SHA224:
-					return SIGN_RSA_EMSA_PKCS1_SHA224;
-				case TLS_HASH_SHA256:
-					return SIGN_RSA_EMSA_PKCS1_SHA256;
-				case TLS_HASH_SHA384:
-					return SIGN_RSA_EMSA_PKCS1_SHA384;
-				case TLS_HASH_SHA512:
-					return SIGN_RSA_EMSA_PKCS1_SHA512;
-				default:
-					return SIGN_UNKNOWN;
-			}
-		case TLS_SIG_ECDSA:
-			if (type != KEY_ECDSA)
-			{
-				return SIGN_UNKNOWN;
-			}
-			switch (hash)
-			{
-				case TLS_HASH_SHA224:
-					return SIGN_ECDSA_WITH_SHA1_DER;
-				case TLS_HASH_SHA256:
-					return SIGN_ECDSA_WITH_SHA256_DER;
-				case TLS_HASH_SHA384:
-					return SIGN_ECDSA_WITH_SHA384_DER;
-				case TLS_HASH_SHA512:
-					return SIGN_ECDSA_WITH_SHA512_DER;
-				default:
-					return SIGN_UNKNOWN;
-			}
-		default:
-			return SIGN_UNKNOWN;
-	}
-}
-
 METHOD(tls_crypto_t, sign, bool,
 	private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
 	chunk_t data, chunk_t hashsig)
@@ -1512,93 +1622,63 @@ static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
 static bool expand_keys(private_tls_crypto_t *this,
 						chunk_t client_random, chunk_t server_random)
 {
-	chunk_t seed, block, client_write, server_write;
-	int mks, eks = 0, ivs = 0;
+	chunk_t seed, block;
+	chunk_t cw_mac, cw, cw_iv;
+	chunk_t sw_mac, sw, sw_iv;
+	int mklen, eklen, ivlen;
 
-	/* derive key block for key expansion */
-	mks = this->signer_out->get_key_size(this->signer_out);
-	if (this->crypter_out)
+	if (!this->aead_in || !this->aead_out)
 	{
-		eks = this->crypter_out->get_key_size(this->crypter_out);
-		if (this->tls->get_version(this->tls) < TLS_1_1)
-		{
-			ivs = this->crypter_out->get_iv_size(this->crypter_out);
-		}
+		return FALSE;
 	}
+
+	/* derive key block for key expansion */
+	mklen = this->aead_in->get_mac_key_size(this->aead_in);
+	eklen = this->aead_in->get_encr_key_size(this->aead_in);
+	ivlen = this->aead_in->get_iv_size(this->aead_in);
 	seed = chunk_cata("cc", server_random, client_random);
-	block = chunk_alloca((mks + eks + ivs) * 2);
+	block = chunk_alloca((mklen + eklen + ivlen) * 2);
 	if (!this->prf->get_bytes(this->prf, "key expansion", seed,
 							  block.len, block.ptr))
 	{
 		return FALSE;
 	}
 
-	/* signer keys */
-	client_write = chunk_create(block.ptr, mks);
-	block = chunk_skip(block, mks);
-	server_write = chunk_create(block.ptr, mks);
-	block = chunk_skip(block, mks);
+	/* client/server write signer keys */
+	cw_mac = chunk_create(block.ptr, mklen);
+	block = chunk_skip(block, mklen);
+	sw_mac = chunk_create(block.ptr, mklen);
+	block = chunk_skip(block, mklen);
+
+	/* client/server write encryption keys */
+	cw = chunk_create(block.ptr, eklen);
+	block = chunk_skip(block, eklen);
+	sw = chunk_create(block.ptr, eklen);
+	block = chunk_skip(block, eklen);
+
+	/* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
+	cw_iv = chunk_create(block.ptr, ivlen);
+	block = chunk_skip(block, ivlen);
+	sw_iv = chunk_create(block.ptr, ivlen);
+	block = chunk_skip(block, ivlen);
+
 	if (this->tls->is_server(this->tls))
 	{
-		if (!this->signer_in->set_key(this->signer_in, client_write) ||
-			!this->signer_out->set_key(this->signer_out, server_write))
+		if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
+			!this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
 		{
 			return FALSE;
 		}
 	}
 	else
 	{
-		if (!this->signer_out->set_key(this->signer_out, client_write) ||
-			!this->signer_in->set_key(this->signer_in, server_write))
+		if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
+			!this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
 		{
 			return FALSE;
 		}
 	}
 
-	/* crypter keys, and IVs if < TLSv1.2 */
-	if (this->crypter_out && this->crypter_in)
-	{
-		client_write = chunk_create(block.ptr, eks);
-		block = chunk_skip(block, eks);
-		server_write = chunk_create(block.ptr, eks);
-		block = chunk_skip(block, eks);
-
-		if (this->tls->is_server(this->tls))
-		{
-			if (!this->crypter_in->set_key(this->crypter_in, client_write) ||
-				!this->crypter_out->set_key(this->crypter_out, server_write))
-			{
-				return FALSE;
-			}
-		}
-		else
-		{
-			if (!this->crypter_out->set_key(this->crypter_out, client_write) ||
-				!this->crypter_in->set_key(this->crypter_in, server_write))
-			{
-				return FALSE;
-			}
-		}
-		if (ivs)
-		{
-			client_write = chunk_create(block.ptr, ivs);
-			block = chunk_skip(block, ivs);
-			server_write = chunk_create(block.ptr, ivs);
-			block = chunk_skip(block, ivs);
-
-			if (this->tls->is_server(this->tls))
-			{
-				this->iv_in = chunk_clone(client_write);
-				this->iv_out = chunk_clone(server_write);
-			}
-			else
-			{
-				this->iv_out = chunk_clone(client_write);
-				this->iv_in = chunk_clone(server_write);
-			}
-		}
-	}
-
 	/* EAP-MSK */
 	if (this->msk_label)
 	{
@@ -1666,13 +1746,11 @@ METHOD(tls_crypto_t, change_cipher, void,
 	{
 		if (inbound)
 		{
-			this->protection->set_cipher(this->protection, TRUE,
-							this->signer_in, this->crypter_in, this->iv_in);
+			this->protection->set_cipher(this->protection, TRUE, this->aead_in);
 		}
 		else
 		{
-			this->protection->set_cipher(this->protection, FALSE,
-							this->signer_out, this->crypter_out, this->iv_out);
+			this->protection->set_cipher(this->protection, FALSE, this->aead_out);
 		}
 	}
 }
@@ -1686,12 +1764,7 @@ METHOD(tls_crypto_t, get_eap_msk, chunk_t,
 METHOD(tls_crypto_t, destroy, void,
 	private_tls_crypto_t *this)
 {
-	DESTROY_IF(this->signer_in);
-	DESTROY_IF(this->signer_out);
-	DESTROY_IF(this->crypter_in);
-	DESTROY_IF(this->crypter_out);
-	free(this->iv_in.ptr);
-	free(this->iv_out.ptr);
+	destroy_aeads(this);
 	free(this->handshake.ptr);
 	free(this->msk.ptr);
 	DESTROY_IF(this->prf);
@@ -1773,8 +1846,43 @@ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
 		case TLS_PURPOSE_GENERIC:
 			build_cipher_suite_list(this, TRUE);
 			break;
+		case TLS_PURPOSE_GENERIC_NULLOK:
+			build_cipher_suite_list(this, FALSE);
+			break;
 		default:
 			break;
 	}
 	return &this->public;
 }
+
+/**
+ * See header.
+ */
+int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **out)
+{
+	suite_algs_t suites[countof(suite_algs)];
+	int count = countof(suite_algs), i;
+
+	/* initialize copy of suite list */
+	for (i = 0; i < count; i++)
+	{
+		suites[i] = suite_algs[i];
+	}
+
+	filter_unsupported_suites(suites, &count);
+
+	if (!null)
+	{
+		filter_null_suites(suites, &count);
+	}
+
+	if (out)
+	{
+		*out = calloc(count, sizeof(tls_cipher_suite_t));
+		for (i = 0; i < count; i++)
+		{
+			(*out)[i] = suites[i].suite;
+		}
+	}
+	return count;
+}
diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h
index 5512b1f48..a42e07bb3 100644
--- a/src/libtls/tls_crypto.h
+++ b/src/libtls/tls_crypto.h
@@ -572,4 +572,13 @@ struct tls_crypto_t {
  */
 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache);
 
+/**
+ * Get a list of all supported TLS cipher suites.
+ *
+ * @param null			include supported NULL encryption suites
+ * @param suites		pointer to allocated suites array, to free(), or NULL
+ * @return				number of suites supported
+ */
+int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **suites);
+
 #endif /** TLS_CRYPTO_H_ @}*/
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index b429da300..a95b40f55 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -80,6 +80,11 @@ struct private_tls_peer_t {
 	peer_state_t state;
 
 	/**
+	 * TLS version we offered in hello
+	 */
+	tls_version_t hello_version;
+
+	/**
 	 * Hello random data selected by client
 	 */
 	char client_random[32];
@@ -724,6 +729,7 @@ static status_t send_client_hello(private_tls_peer_t *this,
 
 	/* TLS version */
 	version = this->tls->get_version(this->tls);
+	this->hello_version = version;
 	writer->write_uint16(writer, version);
 	writer->write_data(writer, chunk_from_thing(this->client_random));
 
@@ -917,7 +923,7 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
 		return NEED_MORE;
 	}
 	rng->destroy(rng);
-	htoun16(premaster, TLS_1_2);
+	htoun16(premaster, this->hello_version);
 
 	if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
 									  this->session, this->server,
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index 0d5df18f7..b016db21f 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -45,74 +45,26 @@ struct private_tls_protection_t {
 	tls_alert_t *alert;
 
 	/**
-	 * RNG if we generate IVs ourself
-	 */
-	rng_t *rng;
-
-	/**
 	 * Sequence number of incoming records
 	 */
-	u_int32_t seq_in;
+	u_int64_t seq_in;
 
 	/**
 	 * Sequence number for outgoing records
 	 */
-	u_int32_t seq_out;
-
-	/**
-	 * Signer instance for inbound traffic
-	 */
-	signer_t *signer_in;
-
-	/**
-	 * Signer instance for outbound traffic
-	 */
-	signer_t *signer_out;
+	u_int64_t seq_out;
 
 	/**
-	 * Crypter instance for inbound traffic
+	 * AEAD transform for inbound traffic
 	 */
-	crypter_t *crypter_in;
+	tls_aead_t *aead_in;
 
 	/**
-	 * Crypter instance for outbound traffic
+	 * AEAD transform for outbound traffic
 	 */
-	crypter_t *crypter_out;
-
-	/**
-	 * Current IV for input decryption
-	 */
-	chunk_t iv_in;
-
-	/**
-	 * Current IV for output decryption
-	 */
-	chunk_t iv_out;
+	tls_aead_t *aead_out;
 };
 
-/**
- * Create the header and feed it into a signer for MAC verification
- */
-static bool sigheader(signer_t *signer, u_int32_t seq, u_int8_t type,
-					  u_int16_t version, u_int16_t length)
-{
-	/* we only support 32 bit sequence numbers, but TLS uses 64 bit */
-	struct __attribute__((__packed__)) {
-		u_int32_t seq_high;
-		u_int32_t seq_low;
-		u_int8_t type;
-		u_int16_t version;
-		u_int16_t length;
-	} header = {
-		.type = type,
-	};
-	htoun32(&header.seq_low, seq);
-	htoun16(&header.version, version);
-	htoun16(&header.length, length);
-
-	return signer->get_signature(signer, chunk_from_thing(header), NULL);
-}
-
 METHOD(tls_protection_t, process, status_t,
 	private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
 {
@@ -121,75 +73,12 @@ METHOD(tls_protection_t, process, status_t,
 		return NEED_MORE;
 	}
 
-	if (this->crypter_in)
-	{
-		chunk_t iv, next_iv = chunk_empty;
-		u_int8_t bs, padding_length;
-
-		bs = this->crypter_in->get_block_size(this->crypter_in);
-		if (this->iv_in.len)
-		{	/* < TLSv1.1 uses IV from key derivation/last block */
-			if (data.len < bs || data.len % bs)
-			{
-				DBG1(DBG_TLS, "encrypted TLS record length invalid");
-				this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-				return NEED_MORE;
-			}
-			iv = this->iv_in;
-			next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
-		}
-		else
-		{	/* TLSv1.1 uses random IVs, prepended to record */
-			iv.len = this->crypter_in->get_iv_size(this->crypter_in);
-			iv = chunk_create(data.ptr, iv.len);
-			data = chunk_skip(data, iv.len);
-			if (data.len < bs || data.len % bs)
-			{
-				DBG1(DBG_TLS, "encrypted TLS record length invalid");
-				this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-				return NEED_MORE;
-			}
-		}
-		if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL))
-		{
-			free(next_iv.ptr);
-			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-			return NEED_MORE;
-		}
-
-		if (next_iv.len)
-		{	/* next record IV is last ciphertext block of this record */
-			memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
-			free(next_iv.ptr);
-		}
-
-		padding_length = data.ptr[data.len - 1];
-		if (padding_length < data.len)
-		{	/* remove padding if it looks valid. Continue with no padding, try
-			 * to prevent timing attacks. */
-			data.len -= padding_length + 1;
-		}
-	}
-	if (this->signer_in)
+	if (this->aead_in)
 	{
-		chunk_t mac;
-		u_int8_t bs;
-
-		bs = this->signer_in->get_block_size(this->signer_in);
-		if (data.len < bs)
+		if (!this->aead_in->decrypt(this->aead_in, this->version,
+									type, this->seq_in, &data))
 		{
-			DBG1(DBG_TLS, "TLS record too short to verify MAC");
-			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-			return NEED_MORE;
-		}
-		mac = chunk_skip(data, data.len - bs);
-		data.len -= bs;
-
-		if (!sigheader(this->signer_in, this->seq_in, type,
-					   this->version, data.len) ||
-			!this->signer_in->verify_signature(this->signer_in, data, mac))
-		{
-			DBG1(DBG_TLS, "TLS record MAC verification failed");
+			DBG1(DBG_TLS, "TLS record decryption failed");
 			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
 			return NEED_MORE;
 		}
@@ -220,72 +109,15 @@ METHOD(tls_protection_t, build, status_t,
 
 	if (status == NEED_MORE)
 	{
-		if (this->signer_out)
+		if (this->aead_out)
 		{
-			chunk_t mac;
-
-			if (!sigheader(this->signer_out, this->seq_out, *type,
-						   this->version, data->len) ||
-				!this->signer_out->allocate_signature(this->signer_out,
-						   *data, &mac))
+			if (!this->aead_out->encrypt(this->aead_out, this->version,
+										 *type, this->seq_out, data))
 			{
+				DBG1(DBG_TLS, "TLS record encryption failed");
+				chunk_free(data);
 				return FAILED;
 			}
-			if (this->crypter_out)
-			{
-				chunk_t padding, iv;
-				u_int8_t bs, padding_length;
-
-				bs = this->crypter_out->get_block_size(this->crypter_out);
-				padding_length = bs - ((data->len + mac.len + 1) % bs);
-
-				padding = chunk_alloca(padding_length);
-				memset(padding.ptr, padding_length, padding.len);
-
-				if (this->iv_out.len)
-				{	/* < TLSv1.1 uses IV from key derivation/last block */
-					iv = this->iv_out;
-				}
-				else
-				{	/* TLSv1.1 uses random IVs, prepended to record */
-					iv.len = this->crypter_out->get_iv_size(this->crypter_out);
-					if (!this->rng ||
-						!this->rng->allocate_bytes(this->rng, iv.len, &iv))
-					{
-						DBG1(DBG_TLS, "failed to generate TLS IV");
-						free(data->ptr);
-						return FAILED;
-					}
-				}
-
-				*data = chunk_cat("mmcc", *data, mac, padding,
-								  chunk_from_thing(padding_length));
-				/* encrypt inline */
-				if (!this->crypter_out->encrypt(this->crypter_out, *data,
-												iv, NULL))
-				{
-					if (!this->iv_out.len)
-					{
-						free(iv.ptr);
-					}
-					free(data->ptr);
-					return FAILED;
-				}
-
-				if (this->iv_out.len)
-				{	/* next record IV is last ciphertext block of this record */
-					memcpy(this->iv_out.ptr, data->ptr + data->len -
-						   this->iv_out.len, this->iv_out.len);
-				}
-				else
-				{	/* prepend IV */
-					*data = chunk_cat("mm", iv, *data);
-				}
-			}
-			else
-			{	/* NULL encryption */
-				*data = chunk_cat("mm", *data, mac);
-			}
 		}
 		this->seq_out++;
 	}
@@ -293,24 +125,15 @@ METHOD(tls_protection_t, build, status_t,
 }
 
 METHOD(tls_protection_t, set_cipher, void,
-	private_tls_protection_t *this, bool inbound, signer_t *signer,
-	crypter_t *crypter, chunk_t iv)
+	private_tls_protection_t *this, bool inbound, tls_aead_t *aead)
 {
 	if (inbound)
 	{
-		this->signer_in = signer;
-		this->crypter_in = crypter;
-		this->iv_in = iv;
+		this->aead_in = aead;
 	}
 	else
 	{
-		this->signer_out = signer;
-		this->crypter_out = crypter;
-		this->iv_out = iv;
-		if (!iv.len)
-		{	/* generate IVs if none given */
-			this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		}
+		this->aead_out = aead;
 	}
 }
 
@@ -323,7 +146,6 @@ METHOD(tls_protection_t, set_version, void,
 METHOD(tls_protection_t, destroy, void,
 	private_tls_protection_t *this)
 {
-	DESTROY_IF(this->rng);
 	free(this);
 }
 
diff --git a/src/libtls/tls_protection.h b/src/libtls/tls_protection.h
index 05cf3df45..3280fb5a9 100644
--- a/src/libtls/tls_protection.h
+++ b/src/libtls/tls_protection.h
@@ -26,6 +26,7 @@
 typedef struct tls_protection_t tls_protection_t;
 
 #include "tls.h"
+#include "tls_aead.h"
 #include "tls_alert.h"
 #include "tls_compression.h"
 
@@ -62,15 +63,12 @@ struct tls_protection_t {
 					  tls_content_type_t *type, chunk_t *data);
 
 	/**
-	 * Set a new cipher, including encryption and integrity algorithms.
+	 * Set a new transforms to use at protection layer
 	 *
 	 * @param inbound	TRUE to use cipher for inbound data, FALSE for outbound
-	 * @param signer	new signer to use, gets owned by protection layer
-	 * @param crypter	new crypter to use, gets owned by protection layer
-	 * @param iv		initial IV for crypter, gets owned by protection layer
+	 * @param aead		new AEAD transform
 	 */
-	void (*set_cipher)(tls_protection_t *this, bool inbound, signer_t *signer,
-					   crypter_t *crypter, chunk_t iv);
+	void (*set_cipher)(tls_protection_t *this, bool inbound, tls_aead_t *aead);
 
 	/**
 	 * Set the TLS version negotiated, used for MAC calculation.
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 19232750b..648771e75 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -406,9 +406,11 @@ METHOD(tls_socket_t, destroy, void,
  * See header
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
-							identification_t *peer, int fd, tls_cache_t *cache)
+							identification_t *peer, int fd, tls_cache_t *cache,
+							tls_version_t max_version, bool nullok)
 {
 	private_tls_socket_t *this;
+	tls_purpose_t purpose;
 
 	INIT(this,
 		.public = {
@@ -430,13 +432,23 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 		.fd = fd,
 	);
 
-	this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
+	if (nullok)
+	{
+		purpose = TLS_PURPOSE_GENERIC_NULLOK;
+	}
+	else
+	{
+		purpose = TLS_PURPOSE_GENERIC;
+	}
+
+	this->tls = tls_create(is_server, server, peer, purpose,
 						   &this->app.application, cache);
 	if (!this->tls)
 	{
 		free(this);
 		return NULL;
 	}
+	this->tls->set_version(this->tls, max_version);
 
 	return &this->public;
 }
diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
index 75130a4d3..0d4db3b41 100644
--- a/src/libtls/tls_socket.h
+++ b/src/libtls/tls_socket.h
@@ -104,9 +104,12 @@ struct tls_socket_t {
  * @param peer				client identity, NULL for no client authentication
  * @param fd				socket to read/write from
  * @param cache				session cache to use, or NULL
+ * @param max_version		maximun TLS version to negotiate
+ * @param nullok			accept NULL encryption ciphers
  * @return					TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
-							identification_t *peer, int fd, tls_cache_t *cache);
+							identification_t *peer, int fd, tls_cache_t *cache,
+							tls_version_t max_version, bool nullok);
 
 #endif /** TLS_SOCKET_H_ @}*/
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 745850ac1..bf37bc688 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -425,7 +425,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index 1f839853c..11a3952ce 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index 45c3569ac..cef45abc2 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 21ed94de2..bba53f53f 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index 7b4d53ed2..182d1ddce 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -385,7 +385,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 63010c301..468f21780 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -386,7 +386,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index 6a99188ef..7327202aa 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 66ac31127..de76a6eee 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -337,7 +337,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 08033c461..04db56931 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -389,7 +389,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 5452a419a..d26237b7b 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -378,7 +378,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
deleted file mode 100644
index 78a466bd6..000000000
--- a/src/openac/Makefile.am
+++ /dev/null
@@ -1,11 +0,0 @@
-ipsec_PROGRAMS = openac
-openac_SOURCES = openac.c
-dist_man_MANS = openac.8
-
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
-	-DPLUGINS=\""${openac_plugins}\""
-
-openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-openac.o :		$(top_builddir)/config.status
diff --git a/src/openac/openac.8 b/src/openac/openac.8
deleted file mode 100644
index ed1b8ed6c..000000000
--- a/src/openac/openac.8
+++ /dev/null
@@ -1,165 +0,0 @@
-.TH IPSEC_OPENAC 8 "22 September 2007"
-.SH NAME
-ipsec openac \- Generation of X.509 attribute certificates
-.SH SYNOPSIS
-.B ipsec
-.B openac
-[
-.B \-\-help
-] [
-.B \-\-version
-] [
-.B \-\-optionsfrom
-\fIfilename\fP
-]
-.br
-\ \ \ [
-.B \-\-quiet
-] [
-.B \-\-debug
-\fIlevel\fP
-]
-.br
-\ \ \ [
-.B \-\-days
-\fIdays\fP
-] [
-.B \-\-hours
-\fIhours\fP
-]
-.br
-\ \ \ [
-.B \-\-startdate
-\fIYYYYMMDDHHMMSSZ\fP
-] [
-.B \-\-stopdate
-\fIYYYYMMDDHHMMSSZ\fP
-]
-.br
-.B \ \ \ \-\-cert
-\fIcertfile\fP
-.B \-\-key
-\fIkeyfile\fP
-[
-.B \-\-password
-\fIpassword\fP
-]
-.br
-.B \ \ \ \-\-usercert
-\fIcertfile\fP
-.B \-\-groups
-\fIattr1,attr2,...\fP
-.B \-\-out
-\fIfilename\fP
-.SH DESCRIPTION
-.BR openac
-is intended to be used by an Authorization Authority (AA) to generate and sign
-X.509 attribute certificates. Currently only the inclusion of one ore several group
-attributes is supported. An attribute certificate is linked to a holder by
-including the issuer and serial number of the holder's X.509 certificate.
-.SH OPTIONS
-.TP
-\fB\-\-help\fP
-display the usage message.
-.TP
-\fB\-\-version\fP
-display the version of \fBopenac\fP.
-.TP
-\fB\-\-optionsfrom\fP\ \fIfilename\fP
-adds the contents of the file to the argument list.
-If \fIfilename\fP is a relative path then the file is searched in the directory
-\fI/etc/openac\fP.
-.TP
-\fB\-\-quiet\fP
-By default \fBopenac\fP logs all control output both to syslog and stderr.
-With the \fB\-\-quiet\fP option no output is written to stderr.
-.TP
-\fB\-\-days\fP\ \fIdays\fP
-Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor
-the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed.
-The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option.
-.TP
-\fB\-\-hours\fP\ \fIhours\fP
-Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor
-the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed.
-The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option.
-.TP
-\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
-defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid.
-The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
-If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default.
-
-.TP
-\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
-defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire.
-The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
-If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed
-by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options
-to the \fBnotBefore\fP date.
-.TP
-\fB\-\-cert\fP\ \fIcertfile\fP
-specifies the file containing the X.509 certificate of the Authorization Authority.
-The certificate is stored either in PEM or DER format.
-.TP
-\fB\-\-key\fP\ \fIkeyfile\fP
-specifies the encrypted file containing the private RSA key of the Authoritzation
-Authority. The private key is stored in PKCS#1 format.
-.TP
-\fB\-\-password\fP\ \fIpassword\fP
-specifies the password with which the private RSA keyfile defined by the
-\fB\-\-key\fP option has been protected. If the option is missing then the
-password is prompted for on the command line.
-.TP
-\fB\-\-usercert\fP\ \fIcertfile\fP
-specifies file containing the X.509 certificate of the user to which the generated attribute
-certificate will apply. The certificate file is stored either in PEM or DER format.
-.TP
-\fB\-\-groups\fP\ \fIattr1,attr2\fP
-specifies a comma-separated list of group attributes that will go into the
-X.509 attribute certificate.
-.TP
-\fB\-\-out\fP\ \fIfilename\fP
-specifies the file where the generated X.509 attribute certificate will be stored to.
-.SS Debugging
-.LP
-\fBopenac\fP produces a prodigious amount of debugging information.  To do so,
-it must be compiled with \-DDEBUG.  There are several classes of debugging output,
-and \fBopenac\fP may be directed to produce a selection of them.  All lines of
-debugging output are prefixed with ``|\ '' to distinguish them from error messages.
-.LP
-When \fBopenac\fP is invoked, it may be given arguments to specify
-which classes to output.  The current options are:
-.TP
-\fB\-\-debug\fP\ \fIlevel\fP
-sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private),
-the default level being 1.
-.SH EXIT STATUS
-.LP
-The execution of \fBopenac\fP terminates with one of the following two exit codes:
-.TP
-0
-means that the attribute certificate was successfully generated and stored.
-.TP
-1
-means that something went wrong.
-.SH FILES
-\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate
-.SH SEE ALSO
-.LP
-The X.509 attribute certificates generated with \fBopenac\fP can be used to
-enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8)
-to load and list X.509 attribute certificates.
-.LP
-For more information on X.509 attribute certificates, refer to the following
-IETF RFC:
-.IP
-RFC 3281 An Internet Attribute Certificate Profile for Authorization
-.SH HISTORY
-The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi.
-The software was recoded by Andreas Steffen using strongSwan's X.509 library and 
-the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen.
-All authors were with the Zurich University of Applied Sciences in Winterthur,
-Switzerland.
-.LP
-.SH BUGS
-Bugs should be reported to the <users@lists.strongswan.org> mailing list.
diff --git a/src/openac/openac.c b/src/openac/openac.c
deleted file mode 100644
index 8862e9ab0..000000000
--- a/src/openac/openac.c
+++ /dev/null
@@ -1,551 +0,0 @@
-/**
- * @file openac.c
- *
- * @brief Generation of X.509 attribute certificates.
- *
- */
-
-/*
- * Copyright (C) 2002  Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2004,2007  Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <time.h>
-#include <errno.h>
-
-#include <library.h>
-#include <utils/debug.h>
-#include <asn1/asn1.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/sets/mem_cred.h>
-#include <utils/optionsfrom.h>
-
-#define OPENAC_PATH			IPSEC_CONFDIR "/openac"
-#define OPENAC_SERIAL		IPSEC_CONFDIR "/openac/serial"
-
-#define DEFAULT_VALIDITY	24*3600		/* seconds */
-
-/**
- * @brief prints the usage of the program to the stderr
- */
-static void usage(const char *message)
-{
-	if (message != NULL && *message != '\0')
-	{
-		fprintf(stderr, "%s\n", message);
-	}
-	fprintf(stderr, "Usage: openac"
-		" [--help]"
-		" [--version]"
-		" [--optionsfrom <filename>]"
-		" [--quiet]"
-		" \\\n\t"
-		"      [--debug <level 0..4>]"
-		" \\\n\t"
-		"      [--days <days>]"
-		" [--hours <hours>]"
-		" \\\n\t"
-		"      [--startdate <YYYYMMDDHHMMSSZ>]"
-		" [--enddate <YYYYMMDDHHMMSSZ>]"
-		" \\\n\t"
-		"      --cert <certfile>"
-		" --key <keyfile>"
-		" [--password <password>]"
-		" \\\n\t"
-		"      --usercert <certfile>"
-		" --groups <attr1,attr2,..>"
-		" --out <filename>"
-		"\n"
-	);
-}
-
-/**
- * read the last serial number from file
- */
-static chunk_t read_serial(void)
-{
-	chunk_t hex, serial = chunk_empty;
-	char one[] = {0x01};
-	FILE *fd;
-
-	fd = fopen(OPENAC_SERIAL, "r");
-	if (fd)
-	{
-		hex = chunk_alloca(64);
-		hex.len = fread(hex.ptr, 1, hex.len, fd);
-		if (hex.len)
-		{
-			/* remove any terminating newline character */
-			if (hex.ptr[hex.len-1] == '\n')
-			{
-				hex.len--;
-			}
-			serial = chunk_alloca((hex.len / 2) + (hex.len % 2));
-			serial = chunk_from_hex(hex, serial.ptr);
-		}
-		fclose(fd);
-	}
-	else
-	{
-		DBG1(DBG_LIB, "  file '%s' does not exist yet - serial number "
-			 "set to 01", OPENAC_SERIAL);
-	}
-	if (!serial.len)
-	{
-		return chunk_clone(chunk_create(one, 1));
-	}
-	if (chunk_increment(serial))
-	{	/* overflow, prepend 0x01 */
-		return chunk_cat("cc", chunk_create(one, 1), serial);
-	}
-	return chunk_clone(serial);
-}
-
-/**
- * write back the last serial number to file
- */
-static void write_serial(chunk_t serial)
-{
-	FILE *fd = fopen(OPENAC_SERIAL, "w");
-
-	if (fd)
-	{
-		chunk_t hex_serial;
-
-		DBG1(DBG_LIB, "  serial number is %#B", &serial);
-		hex_serial = chunk_to_hex(serial, NULL, FALSE);
-		fprintf(fd, "%.*s\n", (int)hex_serial.len, hex_serial.ptr);
-		fclose(fd);
-		free(hex_serial.ptr);
-	}
-	else
-	{
-		DBG1(DBG_LIB, "  could not open file '%s' for writing", OPENAC_SERIAL);
-	}
-}
-
-/**
- * global variables accessible by both main() and build.c
- */
-
-static int debug_level = 1;
-static bool stderr_quiet = FALSE;
-
-/**
- * openac dbg function
- */
-static void openac_dbg(debug_t group, level_t level, char *fmt, ...)
-{
-	int priority = LOG_INFO;
-	char buffer[8192];
-	char *current = buffer, *next;
-	va_list args;
-
-	if (level <= debug_level)
-	{
-		if (!stderr_quiet)
-		{
-			va_start(args, fmt);
-			vfprintf(stderr, fmt, args);
-			fprintf(stderr, "\n");
-			va_end(args);
-		}
-
-		/* write in memory buffer first */
-		va_start(args, fmt);
-		vsnprintf(buffer, sizeof(buffer), fmt, args);
-		va_end(args);
-
-		/* do a syslog with every line */
-		while (current)
-		{
-			next = strchr(current, '\n');
-			if (next)
-			{
-				*(next++) = '\0';
-			}
-			syslog(priority, "%s\n", current);
-			current = next;
-		}
-	}
-}
-
-/**
- * @brief openac main program
- *
- * @param argc number of arguments
- * @param argv pointer to the argument values
- */
-int main(int argc, char **argv)
-{
-	certificate_t *attr_cert   = NULL;
-	certificate_t *userCert   = NULL;
-	certificate_t *signerCert = NULL;
-	private_key_t *signerKey  = NULL;
-
-	time_t notBefore = UNDEFINED_TIME;
-	time_t notAfter  = UNDEFINED_TIME;
-	time_t validity = 0;
-
-	char *keyfile = NULL;
-	char *certfile = NULL;
-	char *usercertfile = NULL;
-	char *outfile = NULL;
-	char *groups = "";
-	char buf[BUF_LEN];
-
-	chunk_t passphrase = { buf, 0 };
-	chunk_t serial = chunk_empty;
-	chunk_t attr_chunk = chunk_empty;
-
-	int status = 1;
-
-	/* enable openac debugging hook */
-	dbg = openac_dbg;
-
-	passphrase.ptr[0] = '\0';
-
-	openlog("openac", 0, LOG_AUTHPRIV);
-
-	/* initialize library */
-	atexit(library_deinit);
-	if (!library_init(NULL, "openac"))
-	{
-		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
-	}
-	if (lib->integrity &&
-		!lib->integrity->check_file(lib->integrity, "openac", argv[0]))
-	{
-		fprintf(stderr, "integrity check of openac failed\n");
-		exit(SS_RC_DAEMON_INTEGRITY);
-	}
-	if (!lib->plugins->load(lib->plugins,
-			lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
-	{
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-
-	/* initialize optionsfrom */
-	options_t *options = options_create();
-
-	/* handle arguments */
-	for (;;)
-	{
-		static const struct option long_opts[] = {
-			/* name, has_arg, flag, val */
-			{ "help", no_argument, NULL, 'h' },
-			{ "version", no_argument, NULL, 'v' },
-			{ "optionsfrom", required_argument, NULL, '+' },
-			{ "quiet", no_argument, NULL, 'q' },
-			{ "cert", required_argument, NULL, 'c' },
-			{ "key", required_argument, NULL, 'k' },
-			{ "password", required_argument, NULL, 'p' },
-			{ "usercert", required_argument, NULL, 'u' },
-			{ "groups", required_argument, NULL, 'g' },
-			{ "days", required_argument, NULL, 'D' },
-			{ "hours", required_argument, NULL, 'H' },
-			{ "startdate", required_argument, NULL, 'S' },
-			{ "enddate", required_argument, NULL, 'E' },
-			{ "out", required_argument, NULL, 'o' },
-			{ "debug", required_argument, NULL, 'd' },
-			{ 0,0,0,0 }
-		};
-
-		int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
-
-		/* Note: "breaking" from case terminates loop */
-		switch (c)
-		{
-			case EOF:	/* end of flags */
-				break;
-
-			case 0: /* long option already handled */
-				continue;
-
-			case ':':	/* diagnostic already printed by getopt_long */
-			case '?':	/* diagnostic already printed by getopt_long */
-			case 'h':	/* --help */
-				usage(NULL);
-				status = 1;
-				goto end;
-
-			case 'v':	/* --version */
-				printf("openac (strongSwan %s)\n", VERSION);
-				status = 0;
-				goto end;
-
-			case '+':	/* --optionsfrom <filename> */
-				{
-					char path[BUF_LEN];
-
-					if (*optarg == '/')	/* absolute pathname */
-					{
-						strncpy(path, optarg, BUF_LEN);
-						path[BUF_LEN-1] = '\0';
-					}
-					else			/* relative pathname */
-					{
-						snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
-					}
-					if (!options->from(options, path, &argc, &argv, optind))
-					{
-						status = 1;
-						goto end;
-					}
-				}
-				continue;
-
-			case 'q':	/* --quiet */
-				stderr_quiet = TRUE;
-				continue;
-
-			case 'c':	/* --cert */
-				certfile = optarg;
-				continue;
-
-			case 'k':	/* --key */
-				keyfile = optarg;
-				continue;
-
-			case 'p':	/* --key */
-				if (strlen(optarg) >= BUF_LEN)
-				{
-					usage("passphrase too long");
-					goto end;
-				}
-				strncpy(passphrase.ptr, optarg, BUF_LEN);
-				passphrase.len = min(strlen(optarg), BUF_LEN);
-				continue;
-
-			case 'u':	/* --usercert */
-				usercertfile = optarg;
-				continue;
-
-			case 'g':	/* --groups */
-				groups = optarg;
-				continue;
-
-			case 'D':	/* --days */
-				if (optarg == NULL || !isdigit(optarg[0]))
-				{
-					usage("missing number of days");
-					goto end;
-				}
-				else
-				{
-					char *endptr;
-					long days = strtol(optarg, &endptr, 0);
-
-					if (*endptr != '\0' || endptr == optarg || days <= 0)
-					{
-						usage("<days> must be a positive number");
-						goto end;
-					}
-					validity += 24*3600*days;
-				}
-				continue;
-
-			case 'H':	/* --hours */
-				if (optarg == NULL || !isdigit(optarg[0]))
-				{
-					usage("missing number of hours");
-					goto end;
-				}
-				else
-				{
-					char *endptr;
-					long hours = strtol(optarg, &endptr, 0);
-
-					if (*endptr != '\0' || endptr == optarg || hours <= 0)
-					{
-						usage("<hours> must be a positive number");
-						goto end;
-					}
-					validity += 3600*hours;
-				}
-				continue;
-
-			case 'S':	/* --startdate */
-				if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
-				{
-					usage("date format must be YYYYMMDDHHMMSSZ");
-					goto end;
-				}
-				else
-				{
-					chunk_t date = { optarg, 15 };
-
-					notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
-				}
-				continue;
-
-			case 'E':	/* --enddate */
-				if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
-				{
-					usage("date format must be YYYYMMDDHHMMSSZ");
-					goto end;
-				}
-				else
-				{
-					chunk_t date = { optarg, 15 };
-					notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
-				}
-				continue;
-
-			case 'o':	/* --out */
-				outfile = optarg;
-				continue;
-
-			case 'd':	/* --debug */
-				debug_level = atoi(optarg);
-				continue;
-
-			default:
-				usage("");
-				status = 0;
-				goto end;
-		}
-		/* break from loop */
-		break;
-	}
-
-	if (optind != argc)
-	{
-		usage("unexpected argument");
-		goto end;
-	}
-
-	DBG1(DBG_LIB, "starting openac (strongSwan Version %s)", VERSION);
-
-	/* load the signer's RSA private key */
-	if (keyfile != NULL)
-	{
-		mem_cred_t *mem;
-		shared_key_t *shared;
-
-		mem = mem_cred_create();
-		lib->credmgr->add_set(lib->credmgr, &mem->set);
-		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
-								   chunk_clone(passphrase));
-		mem->add_shared(mem, shared, NULL);
-		signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-									   BUILD_FROM_FILE, keyfile,
-									   BUILD_END);
-		lib->credmgr->remove_set(lib->credmgr, &mem->set);
-		mem->destroy(mem);
-		if (signerKey == NULL)
-		{
-			goto end;
-		}
-		DBG1(DBG_LIB, "  loaded private key file '%s'", keyfile);
-	}
-
-	/* load the signer's X.509 certificate */
-	if (certfile != NULL)
-	{
-		signerCert = lib->creds->create(lib->creds,
-										CRED_CERTIFICATE, CERT_X509,
-										BUILD_FROM_FILE, certfile,
-										BUILD_END);
-		if (signerCert == NULL)
-		{
-			goto end;
-		}
-	}
-
-	/* load the users's X.509 certificate */
-	if (usercertfile != NULL)
-	{
-		userCert = lib->creds->create(lib->creds,
-									  CRED_CERTIFICATE, CERT_X509,
-									  BUILD_FROM_FILE, usercertfile,
-									  BUILD_END);
-		if (userCert == NULL)
-		{
-			goto end;
-		}
-	}
-
-	/* compute validity interval */
-	validity = (validity)? validity : DEFAULT_VALIDITY;
-	notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
-	notAfter =  (notAfter  == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
-
-	/* build and parse attribute certificate */
-	if (userCert != NULL && signerCert != NULL && signerKey != NULL &&
-		outfile != NULL)
-	{
-		/* read the serial number and increment it by one */
-		serial = read_serial();
-
-		attr_cert = lib->creds->create(lib->creds,
-							CRED_CERTIFICATE, CERT_X509_AC,
-							BUILD_CERT, userCert,
-							BUILD_NOT_BEFORE_TIME, notBefore,
-							BUILD_NOT_AFTER_TIME, notAfter,
-							BUILD_SERIAL, serial,
-							BUILD_IETF_GROUP_ATTR, groups,
-							BUILD_SIGNING_CERT, signerCert,
-							BUILD_SIGNING_KEY, signerKey,
-							BUILD_END);
-		if (!attr_cert)
-		{
-			goto end;
-		}
-
-		/* write the attribute certificate to file */
-		if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk))
-		{
-			if (chunk_write(attr_chunk, outfile, 0022, TRUE))
-			{
-				DBG1(DBG_APP, "  written attribute cert file '%s' (%d bytes)",
-						 outfile, attr_chunk.len);
-				write_serial(serial);
-				status = 0;
-			}
-			else
-			{
-				DBG1(DBG_APP, "  writing attribute cert file '%s' failed: %s",
-					 outfile, strerror(errno));
-			}
-		}
-	}
-	else
-	{
-		usage("some of the mandatory parameters --usercert --cert --key --out "
-			  "are missing");
-	}
-
-end:
-	/* delete all dynamically allocated objects */
-	DESTROY_IF(signerKey);
-	DESTROY_IF(signerCert);
-	DESTROY_IF(userCert);
-	DESTROY_IF(attr_cert);
-	free(attr_chunk.ptr);
-	free(serial.ptr);
-	closelog();
-	dbg = dbg_default;
-	options->destroy(options);
-	exit(status);
-}
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index efbed9b2b..266802cf7 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -11,6 +11,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/self.c \
 	commands/print.c \
 	commands/signcrl.c \
+	commands/acert.c \
 	commands/pkcs7.c \
 	commands/verify.c
 
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 461d958da..2dd91e801 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -107,7 +107,8 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \
 	commands/keyid.$(OBJEXT) commands/pub.$(OBJEXT) \
 	commands/req.$(OBJEXT) commands/self.$(OBJEXT) \
 	commands/print.$(OBJEXT) commands/signcrl.$(OBJEXT) \
-	commands/pkcs7.$(OBJEXT) commands/verify.$(OBJEXT)
+	commands/acert.$(OBJEXT) commands/pkcs7.$(OBJEXT) \
+	commands/verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -386,7 +387,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -436,6 +436,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/self.c \
 	commands/print.c \
 	commands/signcrl.c \
+	commands/acert.c \
 	commands/pkcs7.c \
 	commands/verify.c
 
@@ -549,6 +550,8 @@ commands/print.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/signcrl.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
+commands/acert.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
 commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/verify.$(OBJEXT): commands/$(am__dirstamp) \
@@ -567,6 +570,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/acert.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/gen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/issue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/keyid.Po@am__quote@
diff --git a/src/pki/command.c b/src/pki/command.c
index b6966ee0b..075a2279a 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -200,7 +200,7 @@ int command_usage(char *error)
 	fprintf(out, "usage:\n");
 	if (active == help_idx)
 	{
-		for (i = 0; cmds[i].cmd; i++)
+		for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++)
 		{
 			fprintf(out, "  pki --%-7s (-%c)  %s\n",
 					cmds[i].cmd, cmds[i].op, cmds[i].description);
@@ -263,7 +263,7 @@ int command_dispatch(int c, char *v[])
 
 	build_opts();
 	op = getopt_long(c, v, command_optstring, command_opts, NULL);
-	for (i = 0; cmds[i].cmd; i++)
+	for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++)
 	{
 		if (cmds[i].op == op)
 		{
diff --git a/src/pki/command.h b/src/pki/command.h
index 737f4658d..9cf036bf2 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -24,12 +24,12 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 11
+#define MAX_COMMANDS 12
 
 /**
  * Maximum number of options in a command (+3)
  */
-#define MAX_OPTIONS 32
+#define MAX_OPTIONS 36
 
 /**
  * Maximum number of usage summary lines (+1)
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
new file mode 100644
index 000000000..d49365db5
--- /dev/null
+++ b/src/pki/commands/acert.c
@@ -0,0 +1,292 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+#include <errno.h>
+
+#include "pki.h"
+
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <collections/linked_list.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
+
+/**
+ * Issue an attribute certificate
+ */
+static int acert()
+{
+	cred_encoding_type_t form = CERT_ASN1_DER;
+	hash_algorithm_t digest = HASH_SHA1;
+	certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
+	private_key_t *private = NULL;
+	public_key_t *public = NULL;
+	char *file = NULL, *hex = NULL, *issuercert = NULL, *issuerkey = NULL;
+	char *error = NULL, *keyid = NULL;
+	linked_list_t *groups;
+	chunk_t serial = chunk_empty, encoding = chunk_empty;
+	time_t not_before, not_after, lifetime = 24 * 60 * 60;
+	char *datenb = NULL, *datena = NULL, *dateform = NULL;
+	rng_t *rng;
+	char *arg;
+
+	groups = linked_list_create();
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				goto usage;
+			case 'g':
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
+				{
+					error = "invalid --digest type";
+					goto usage;
+				}
+				continue;
+			case 'i':
+				file = arg;
+				continue;
+			case 'm':
+				groups->insert_last(groups, arg);
+				continue;
+			case 'c':
+				issuercert = arg;
+				continue;
+			case 'k':
+				issuerkey = arg;
+				continue;
+			case 'x':
+				keyid = arg;
+				continue;
+			case 'l':
+				lifetime = atoi(arg) * 60 * 60;
+				if (!lifetime)
+				{
+					error = "invalid --lifetime value";
+					goto usage;
+				}
+				continue;
+			case 'D':
+				dateform = arg;
+				continue;
+			case 'F':
+				datenb = arg;
+				continue;
+			case 'T':
+				datena = arg;
+				continue;
+			case 's':
+				hex = arg;
+				continue;
+			case 'f':
+				if (!get_form(arg, &form, CRED_CERTIFICATE))
+				{
+					error = "invalid output format";
+					goto usage;
+				}
+				continue;
+			case EOF:
+				break;
+			default:
+				error = "invalid --acert option";
+				goto usage;
+		}
+		break;
+	}
+
+	if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+							&not_before, &not_after))
+	{
+		error = "invalid --not-before/after datetime";
+		goto usage;
+	}
+
+	if (!issuercert)
+	{
+		error = "--issuercert is required";
+		goto usage;
+	}
+	if (!issuerkey && !keyid)
+	{
+		error = "--issuerkey or --issuerkeyid is required";
+		goto usage;
+	}
+
+	issuer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								BUILD_FROM_FILE, issuercert, BUILD_END);
+	if (!issuer)
+	{
+		error = "parsing issuer certificate failed";
+		goto end;
+	}
+	public = issuer->get_public_key(issuer);
+	if (!public)
+	{
+		error = "extracting issuer certificate public key failed";
+		goto end;
+	}
+	if (issuerkey)
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+									 public->get_type(public),
+									 BUILD_FROM_FILE, issuerkey, BUILD_END);
+	}
+	else
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
+	if (!private)
+	{
+		error = "loading issuer private key failed";
+		goto end;
+	}
+	if (!private->belongs_to(private, public))
+	{
+		error = "issuer private key does not match issuer certificate";
+		goto end;
+	}
+
+	if (hex)
+	{
+		serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
+	}
+	else
+	{
+		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		if (!rng)
+		{
+			error = "no random number generator found";
+			goto end;
+		}
+		if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE))
+		{
+			error = "failed to generate serial number";
+			rng->destroy(rng);
+			goto end;
+		}
+		serial.ptr[0] &= 0x7F;
+		rng->destroy(rng);
+	}
+
+	if (file)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, file, BUILD_END);
+	}
+	else
+	{
+		if (!chunk_from_fd(0, &encoding))
+		{
+			fprintf(stderr, "%s: ", strerror(errno));
+			error = "reading public key failed";
+			goto end;
+		}
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB, encoding, BUILD_END);
+		chunk_free(&encoding);
+	}
+	if (!cert)
+	{
+		error = "parsing user certificate failed";
+		goto end;
+	}
+
+	ac = lib->creds->create(lib->creds,
+							CRED_CERTIFICATE, CERT_X509_AC,
+							BUILD_CERT, cert,
+							BUILD_NOT_BEFORE_TIME, not_before,
+							BUILD_NOT_AFTER_TIME, not_after,
+							BUILD_SERIAL, serial,
+							BUILD_AC_GROUP_STRINGS, groups,
+							BUILD_SIGNING_CERT, issuer,
+							BUILD_SIGNING_KEY, private,
+							BUILD_END);
+	if (!ac)
+	{
+		error = "generating attribute certificate failed";
+		goto end;
+	}
+	if (!ac->get_encoding(ac, form, &encoding))
+	{
+		error = "encoding attribute certificate failed";
+		goto end;
+	}
+	if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
+	{
+		error = "writing attribute certificate key failed";
+		goto end;
+	}
+
+end:
+	DESTROY_IF(ac);
+	DESTROY_IF(cert);
+	DESTROY_IF(issuer);
+	DESTROY_IF(public);
+	DESTROY_IF(private);
+	groups->destroy(groups);
+	free(encoding.ptr);
+	free(serial.ptr);
+
+	if (error)
+	{
+		fprintf(stderr, "%s\n", error);
+		return 1;
+	}
+	return 0;
+
+usage:
+	groups->destroy(groups);
+	return command_usage(error);
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		acert, 'z', "acert",
+		"issue an attribute certificate",
+		{"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex",
+		 " --issuercert file [--serial hex] [--lifetime hours]",
+		 " [--not-before datetime] [--not-after datetime] [--dateform form]",
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+		{
+			{"help",			'h', 0, "show usage information"},
+			{"in",				'i', 1, "holder certificate, default: stdin"},
+			{"group",			'm', 1, "group membership string to include"},
+			{"issuercert",		'c', 1, "issuer certificate file"},
+			{"issuerkey",		'k', 1, "issuer private key file"},
+			{"issuerkeyid",		'x', 1, "keyid on smartcard of issuer private key"},
+			{"serial",			's', 1, "serial number in hex, default: random"},
+			{"lifetime",		'l', 1, "hours the acert is valid, default: 24"},
+			{"not-before",		'F', 1, "date/time the validity of the AC starts"},
+			{"not-after",		'T', 1, "date/time the validity of the AC ends"},
+			{"dateform",		'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
+			{"digest",			'g', 1, "digest for signature creation, default: sha1"},
+			{"outform",			'f', 1, "encoding of generated cert, default: der"},
+		}
+	});
+}
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index d5c33b89f..d03326e3d 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -72,8 +72,8 @@ static int issue()
 	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
-	time_t lifetime = 1095;
-	time_t not_before, not_after;
+	time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
+	char *datenb = NULL, *datena = NULL, *dateform = NULL;
 	x509_flag_t flags = 0;
 	x509_t *x509;
 	x509_cdp_t *cdp = NULL;
@@ -132,13 +132,22 @@ static int issue()
 				san->insert_last(san, identification_create_from_string(arg));
 				continue;
 			case 'l':
-				lifetime = atoi(arg);
+				lifetime = atoi(arg) * 24 * 60 * 60;
 				if (!lifetime)
 				{
 					error = "invalid --lifetime value";
 					goto usage;
 				}
 				continue;
+			case 'D':
+				dateform = arg;
+				continue;
+			case 'F':
+				datenb = arg;
+				continue;
+			case 'T':
+				datena = arg;
+				continue;
 			case 's':
 				hex = arg;
 				continue;
@@ -242,6 +251,10 @@ static int issue()
 				{
 					flags |= X509_OCSP_SIGNER;
 				}
+				else if (streq(arg, "msSmartcardLogon"))
+				{
+					flags |= X509_MS_SMARTCARD_LOGON;
+				}
 				continue;
 			case 'f':
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
@@ -285,6 +298,12 @@ static int issue()
 		error = "--cakey or --keyid is required";
 		goto usage;
 	}
+	if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+							&not_before, &not_after))
+	{
+		error = "invalid --not-before/after datetime";
+		goto usage;
+	}
 	if (dn && *dn)
 	{
 		id = identification_create_from_string(dn);
@@ -363,6 +382,7 @@ static int issue()
 			rng->destroy(rng);
 			goto end;
 		}
+		serial.ptr[0] &= 0x7F;
 		rng->destroy(rng);
 	}
 
@@ -454,9 +474,6 @@ static int issue()
 										chunk_from_chars(ASN1_SEQUENCE, 0));
 	}
 
-	not_before = time(NULL);
-	not_after = not_before + lifetime * 24 * 60 * 60;
-
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 					BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
 					BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
@@ -536,7 +553,7 @@ static void __attribute__ ((constructor))reg()
 		{"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex",
 		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
-		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
 		 "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
 		 "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
@@ -552,6 +569,9 @@ static void __attribute__ ((constructor))reg()
 			{"dn",				'd', 1, "distinguished name to include as subject"},
 			{"san",				'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},
+			{"not-before",		'F', 1, "date/time the validity of the cert starts"},
+			{"not-after",		'T', 1, "date/time the validity of the cert ends"},
+			{"dateform",		'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
 			{"serial",			's', 1, "serial number in hex, default: random"},
 			{"ca",				'b', 0, "include CA basicConstraint, default: no"},
 			{"pathlen",			'p', 1, "set path length constraint"},
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 077c1ef3e..15ace035d 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -16,9 +16,11 @@
 #include "pki.h"
 
 #include <asn1/asn1.h>
+#include <asn1/oid.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
+#include <credentials/certificates/ac.h>
 #include <selectors/traffic_selector.h>
 
 #include <time.h>
@@ -138,6 +140,10 @@ static void print_x509(x509_t *x509)
 	{
 		printf("iKEIntermediate ");
 	}
+	if (flags & X509_MS_SMARTCARD_LOGON)
+	{
+		printf("msSmartcardLogon ");
+	}
 	if (flags & X509_SELF_SIGNED)
 	{
 		printf("self-signed ");
@@ -388,6 +394,85 @@ static void print_crl(crl_t *crl)
 }
 
 /**
+ * Print AC specific information
+ */
+static void print_ac(ac_t *ac)
+{
+	ac_group_type_t type;
+	identification_t *id;
+	enumerator_t *groups;
+	chunk_t chunk;
+	bool first = TRUE;
+
+	chunk = chunk_skip_zero(ac->get_serial(ac));
+	printf("serial:    %#B\n", &chunk);
+
+	id = ac->get_holderIssuer(ac);
+	if (id)
+	{
+		printf("hissuer:  \"%Y\"\n", id);
+	}
+	chunk = chunk_skip_zero(ac->get_holderSerial(ac));
+	if (chunk.ptr)
+	{
+		printf("hserial:   %#B\n", &chunk);
+	}
+	groups = ac->create_group_enumerator(ac);
+	while (groups->enumerate(groups, &type, &chunk))
+	{
+		int oid;
+		char *str;
+
+		if (first)
+		{
+			printf("groups:    ");
+			first = FALSE;
+		}
+		else
+		{
+			printf("           ");
+		}
+		switch (type)
+		{
+			case AC_GROUP_TYPE_STRING:
+				printf("%.*s", (int)chunk.len, chunk.ptr);
+				break;
+			case AC_GROUP_TYPE_OID:
+				oid = asn1_known_oid(chunk);
+				if (oid == OID_UNKNOWN)
+				{
+					str = asn1_oid_to_string(chunk);
+					if (str)
+					{
+						printf("%s", str);
+						free(str);
+					}
+					else
+					{
+						printf("OID:%#B", &chunk);
+					}
+				}
+				else
+				{
+					printf("%s", oid_names[oid].name);
+				}
+				break;
+			case AC_GROUP_TYPE_OCTETS:
+				printf("%#B", &chunk);
+				break;
+		}
+		printf("\n");
+	}
+	groups->destroy(groups);
+
+	chunk = ac->get_authKeyIdentifier(ac);
+	if (chunk.ptr)
+	{
+		printf("authkey:  %#B\n", &chunk);
+	}
+}
+
+/**
  * Print certificate information
  */
 static void print_cert(certificate_t *cert)
@@ -432,6 +517,9 @@ static void print_cert(certificate_t *cert)
 		case CERT_X509_CRL:
 			print_crl((crl_t*)cert);
 			break;
+		case CERT_X509_AC:
+			print_ac((ac_t*)cert);
+			break;
 		default:
 			printf("parsing certificate subtype %N not implemented\n",
 				   certificate_type_names, cert->get_type(cert));
@@ -472,6 +560,11 @@ static int print()
 					type = CRED_CERTIFICATE;
 					subtype = CERT_X509_CRL;
 				}
+				else if (streq(arg, "ac"))
+				{
+					type = CRED_CERTIFICATE;
+					subtype = CERT_X509_AC;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -558,7 +651,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ print, 'a', "print",
 		"print a credential in a human readable form",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl]"},
+		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl|ac]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c28c9c291..a35a42b89 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -60,8 +60,8 @@ static int self()
 	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
-	time_t lifetime = 1095;
-	time_t not_before, not_after;
+	time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
+	char *datenb = NULL, *datena = NULL, *dateform = NULL;
 	x509_flag_t flags = 0;
 	x509_cert_policy_t *policy = NULL;
 	char *arg;
@@ -115,13 +115,22 @@ static int self()
 				san->insert_last(san, identification_create_from_string(arg));
 				continue;
 			case 'l':
-				lifetime = atoi(arg);
+				lifetime = atoi(arg) * 24 * 60 * 60;
 				if (!lifetime)
 				{
 					error = "invalid --lifetime value";
 					goto usage;
 				}
 				continue;
+			case 'D':
+				dateform = arg;
+				continue;
+			case 'F':
+				datenb = arg;
+				continue;
+			case 'T':
+				datena = arg;
+				continue;
 			case 's':
 				hex = arg;
 				continue;
@@ -225,6 +234,10 @@ static int self()
 				{
 					flags |= X509_OCSP_SIGNER;
 				}
+				else if (streq(arg, "msSmartcardLogon"))
+				{
+					flags |= X509_MS_SMARTCARD_LOGON;
+				}
 				continue;
 			case 'f':
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
@@ -250,6 +263,12 @@ static int self()
 		error = "--dn is required";
 		goto usage;
 	}
+	if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+							&not_before, &not_after))
+	{
+		error = "invalid --not-before/after datetime";
+		goto usage;
+	}
 	id = identification_create_from_string(dn);
 	if (id->get_type(id) != ID_DER_ASN1_DN)
 	{
@@ -314,10 +333,9 @@ static int self()
 			rng->destroy(rng);
 			goto end;
 		}
+		serial.ptr[0] &= 0x7F;
 		rng->destroy(rng);
 	}
-	not_before = time(NULL);
-	not_after = not_before + lifetime * 24 * 60 * 60;
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
 						BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
@@ -391,7 +409,7 @@ static void __attribute__ ((constructor))reg()
 		{" [--in file|--keyid hex] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
-		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
 		 "[--nc-permitted name] [--nc-excluded name]",
 		 "[--policy-map issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
@@ -405,6 +423,9 @@ static void __attribute__ ((constructor))reg()
 			{"dn",				'd', 1, "subject and issuer distinguished name"},
 			{"san",				'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},
+			{"not-before",		'F', 1, "date/time the validity of the cert starts"},
+			{"not-after",		'T', 1, "date/time the validity of the cert ends"},
+			{"dateform",		'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
 			{"serial",			's', 1, "serial number in hex, default: random"},
 			{"ca",				'b', 0, "include CA basicConstraint, default: no"},
 			{"pathlen",			'p', 1, "set path length constraint"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 4f9dd291d..c9eebbf59 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -124,7 +124,8 @@ static int sign_crl()
 	int serial_len = 0;
 	crl_reason_t reason = CRL_REASON_UNSPECIFIED;
 	time_t thisUpdate, nextUpdate, date = time(NULL);
-	time_t lifetime = 15;
+	time_t lifetime = 15 * 24 * 60 * 60;
+	char *datetu = NULL, *datenu = NULL, *dateform = NULL;
 	linked_list_t *list, *cdps;
 	enumerator_t *enumerator, *lastenum = NULL;
 	x509_cdp_t *cdp;
@@ -161,13 +162,22 @@ static int sign_crl()
 				lastupdate = arg;
 				continue;
 			case 'l':
-				lifetime = atoi(arg);
+				lifetime = atoi(arg) * 24 * 60 * 60;
 				if (!lifetime)
 				{
-					error = "invalid lifetime";
+					error = "invalid --lifetime value";
 					goto usage;
 				}
 				continue;
+			case 'D':
+				dateform = arg;
+				continue;
+			case 'F':
+				datetu = arg;
+				continue;
+			case 'T':
+				datenu = arg;
+				continue;
 			case 'z':
 				serial_len = read_serial(arg, serial, sizeof(serial));
 				if (serial_len < 0)
@@ -275,6 +285,12 @@ static int sign_crl()
 		error = "--cakey or --keyid is required";
 		goto usage;
 	}
+	if (!calculate_lifetime(dateform, datetu, datenu, lifetime,
+							&thisUpdate, &nextUpdate))
+	{
+		error = "invalid --this/next-update datetime";
+		goto usage;
+	}
 
 	ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 							BUILD_FROM_FILE, cacert, BUILD_END);
@@ -321,9 +337,6 @@ static int sign_crl()
 		goto error;
 	}
 
-	thisUpdate = time(NULL);
-	nextUpdate = thisUpdate + lifetime * 24 * 60 * 60;
-
 	if (basecrl)
 	{
 		lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
@@ -442,6 +455,9 @@ static void __attribute__ ((constructor))reg()
 			{"cakey",		'k', 1, "CA private key file"},
 			{"cakeyid",		'x', 1, "keyid on smartcard of CA private key"},
 			{"lifetime",	'l', 1, "days the CRL gets a nextUpdate, default: 15"},
+			{"this-update",	'F', 1, "date/time the validity of the CRL starts"},
+			{"next-update",	'T', 1, "date/time the validity of the CRL ends"},
+			{"dateform",	'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
 			{"lastcrl",		'a', 1, "CRL of lastUpdate to copy revocations from"},
 			{"basecrl",		'b', 1, "base CRL to create a delta CRL for"},
 			{"crluri",		'u', 1, "freshest delta CRL URI to include"},
diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am
index 618bd4093..4c901ae3c 100644
--- a/src/pki/man/Makefile.am
+++ b/src/pki/man/Makefile.am
@@ -4,6 +4,7 @@ man1_MANS = \
 	pki---self.1 \
 	pki---issue.1 \
 	pki---signcrl.1 \
+	pki---acert.1 \
 	pki---req.1 \
 	pki---pkcs7.1 \
 	pki---keyid.1 \
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index edbde85b5..5d901a87e 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -84,7 +84,7 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \
 	$(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \
 	$(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \
-	$(srcdir)/pki---verify.1.in
+	$(srcdir)/pki---acert.1.in $(srcdir)/pki---verify.1.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -102,7 +102,7 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \
 	pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \
-	pki---self.1 pki---signcrl.1 pki---verify.1
+	pki---self.1 pki---signcrl.1 pki---acert.1 pki---verify.1
 CONFIG_CLEAN_VPATH_FILES =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -325,7 +325,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -371,6 +370,7 @@ man1_MANS = \
 	pki---self.1 \
 	pki---issue.1 \
 	pki---signcrl.1 \
+	pki---acert.1 \
 	pki---req.1 \
 	pki---pkcs7.1 \
 	pki---keyid.1 \
@@ -432,6 +432,8 @@ pki---self.1: $(top_builddir)/config.status $(srcdir)/pki---self.1.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 pki---signcrl.1: $(top_builddir)/config.status $(srcdir)/pki---signcrl.1.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---acert.1: $(top_builddir)/config.status $(srcdir)/pki---acert.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 pki---verify.1: $(top_builddir)/config.status $(srcdir)/pki---verify.1.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 
diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in
new file mode 100644
index 000000000..ec1d8be6e
--- /dev/null
+++ b/src/pki/man/pki---acert.1.in
@@ -0,0 +1,130 @@
+.TH "PKI \-\-ACERT" 1 "2014-02-05" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-acert \- Issue an attribute certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-acert
+.OP \-\-in file
+.OP \-\-group membership
+.BI \-\-issuerkey\~ file |\-\-issuerkeyid\~ hex
+.BI \-\-issuercert\~ file
+.OP \-\-lifetime hours
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
+.OP \-\-serial hex
+.OP \-\-digest digest
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-acert
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-acert"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue an attribute certificate using an issuer certificate with its
+private key and the holder certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Holder certificate to issue an attribute certificate for. If not given the
+certificate is read from \fISTDIN\fR.
+.TP
+.BI "\-m, \-\-group " membership
+Group membership the attribute certificate shall certify. The specified group
+is included as a string. To include multiple groups, the option can be repeated.
+.TP
+.BI "\-k, \-\-issuerkey " file
+Issuer private key file. Either this or
+.B \-\-issuerkeyid
+is required.
+.TP
+.BI "\-x, \-\-issuerkeyid " hex
+Key ID of a issuer private key on a smartcard. Either this or
+.B \-\-issuerkey
+is required.
+.TP
+.BI "\-c, \-\-issuercert " file
+Issuer certificate file. Required.
+.TP
+.BI "\-l, \-\-lifetime " hours
+Hours the attribute certificate is valid, default: 24. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the AC begins. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the AC ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+To save repetitive typing, command line options can be stored in files.
+Lets assume
+.I acert.opt
+contains the following contents:
+.PP
+.EX
+  --issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4
+.EE
+.PP
+Then the following command can be used to issue an attribute certificate based
+on a holder certificate and the options above:
+.PP
+.EX
+  pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 3fad1ae8a..375cb2fe4 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -14,6 +14,8 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
 .OP \-\-dn subject-dn
 .OP \-\-san subjectAltName
 .OP \-\-lifetime days
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
 .OP \-\-serial hex
 .OP \-\-flag flag
 .OP \-\-digest digest
@@ -88,7 +90,28 @@ Subject distinguished name (DN) of the issued certificate.
 subjectAltName extension to include in certificate. Can be used multiple times.
 .TP
 .BI "\-l, \-\-lifetime " days
-Days the certificate is valid, default: 1095.
+Days the certificate is valid, default: 1095. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the certificate begins. The datetime format
+is defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the certificate ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
 .TP
 .BI "\-s, \-\-serial " hex
 Serial number in hex. It is randomly allocated by default.
@@ -176,4 +199,4 @@ given PKCS#10 certificate request and the options above:
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index 8d3345edc..434d4ea16 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -46,8 +46,9 @@ Input file. If not given the input is read from \fISTDIN\fR.
 .BI "\-t, \-\-type " type
 Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
 private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
-(Certificate Revocation List, CRL), defaults to \fIx509\fR.
+(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate),
+defaults to \fIx509\fR.
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index ee42cf9a0..5e6e78bd0 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -14,6 +14,8 @@ pki \-\-self \- Create a self-signed certificate
 .BI \-\-dn\~ distinguished-name
 .OP \-\-san subjectAltName
 .OP \-\-lifetime days
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
 .OP \-\-serial hex
 .OP \-\-flag flag
 .OP \-\-digest digest
@@ -75,7 +77,28 @@ Subject and issuer distinguished name (DN). Required.
 subjectAltName extension to include in certificate. Can be used multiple times.
 .TP
 .BI "\-l, \-\-lifetime " days
-Days the certificate is valid, default: 1095.
+Days the certificate is valid, default: 1095. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the certificate begins. The datetime format
+is defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the certificate ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
 .TP
 .BI "\-s, \-\-serial " hex
 Serial number in hex. It is randomly allocated by default.
@@ -145,4 +168,4 @@ Generate a self-signed certificate using the given RSA key:
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
index 6ba96f6bc..bd6cba547 100644
--- a/src/pki/man/pki---signcrl.1.in
+++ b/src/pki/man/pki---signcrl.1.in
@@ -10,6 +10,8 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific
 .BI \-\-cakey\~ file |\-\-cakeyid\~ hex
 .BI \-\-cacert\~ file
 .OP \-\-lifetime days
+.OP \-\-this-update datetime
+.OP \-\-next-update datetime
 .OP \-\-lastcrl crl
 .OP \-\-basecrl crl
 .OP \-\-crluri uri
@@ -62,7 +64,28 @@ is required.
 CA certificate file. Required.
 .TP
 .BI "\-l, \-\-lifetime " days
-Days until the CRL gets a nextUpdate, default: 15.
+Days until the CRL gets a nextUpdate, default: 15. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-this-update " datetime
+Absolute time when the validity of the CRL begins. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-next-update " datetime
+Absolute time when the validity of the CRL end. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-this\-update
+and
+.B \-\-next\-update
+options, default:
+.B %d.%m.%y %T
 .TP
 .BI "\-a, \-\-lastcrl " crl
 CRL of lastUpdate to copy revocations from.
@@ -121,4 +144,4 @@ number, but no reason:
 .PP
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in
index 8dfc53af3..f347031b4 100644
--- a/src/pki/man/pki.1.in
+++ b/src/pki/man/pki.1.in
@@ -49,6 +49,9 @@ Issue a certificate using a CA certificate and key.
 .B "\-c, \-\-signcrl"
 Issue a CRL using a CA certificate and key.
 .TP
+.B "\-z, \-\-acert"
+Issue an attribute certificate.
+.TP
 .B "\-r, \-\-req"
 Create a PKCS#10 certificate request.
 .TP
@@ -148,6 +151,7 @@ certificates with the \-\-crl option.
 .BR pki\ \-\-self (1),
 .BR pki\ \-\-issue (1),
 .BR pki\ \-\-signcrl (1),
+.BR pki\ \-\-acert (1),
 .BR pki\ \-\-req (1),
 .BR pki\ \-\-pkcs7 (1),
 .BR pki\ \-\-keyid (1),
diff --git a/src/pki/pki.c b/src/pki/pki.c
index eb614dd7f..ae4ef1cb0 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -13,9 +13,11 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
 #include "command.h"
 #include "pki.h"
 
+#include <time.h>
 #include <unistd.h>
 
 #include <utils/debug.h>
@@ -102,6 +104,56 @@ bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type)
 }
 
 /**
+ * See header
+ */
+bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span,
+						time_t *nb, time_t *na)
+{
+	struct tm tm;
+	time_t now;
+	char *end;
+
+	if (!format)
+	{
+		format = "%d.%m.%y %T";
+	}
+
+	now = time(NULL);
+
+	localtime_r(&now, &tm);
+	if (nbstr)
+	{
+		end = strptime(nbstr, format, &tm);
+		if (end == NULL || *end != '\0')
+		{
+			return FALSE;
+		}
+	}
+	*nb = mktime(&tm);
+
+	localtime_r(&now, &tm);
+	if (nastr)
+	{
+		end = strptime(nastr, format, &tm);
+		if (end == NULL || *end != '\0')
+		{
+			return FALSE;
+		}
+	}
+	*na = mktime(&tm);
+
+	if (!nbstr && nastr)
+	{
+		*nb = *na - span;
+	}
+	else if (!nastr)
+	{
+		*na = *nb + span;
+	}
+	return TRUE;
+}
+
+/**
  * Callback credential set pki uses
  */
 static callback_cred_t *cb_set;
@@ -188,4 +240,3 @@ int main(int argc, char *argv[])
 	atexit(remove_callback);
 	return command_dispatch(argc, argv);
 }
-
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 09c50c6c2..616fac44a 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -33,4 +33,21 @@
  */
 bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type);
 
+/**
+ * Calculate start/end lifetime for certificates.
+ *
+ * If both nbstr and nastr are given, span is ignored. Otherwise missing
+ * arguments are calculated, or assumed to be now.
+ *
+ * @param format	strptime() format, NULL for default: %d.%m.%y %T
+ * @param nbstr		string describing notBefore datetime, or NULL
+ * @param nastr		string describing notAfter datetime, or NULL
+ * @param span		lifetime span, from notBefore to notAfter
+ * @param nb		calculated notBefore time
+ * @param na		calculated notAfter time
+ * @return			TRUE of nb/na calculated successfully
+ */
+bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span,
+						time_t *nb, time_t *na);
+
 #endif /** PKI_H_ @}*/
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index 63489034f..e8caddc63 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index 61dff904e..d9a8259e9 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -342,7 +342,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 06354da5f..524e05bd7 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 7a9154d84..3f3200d64 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 0b285285b..61136e84a 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -341,7 +341,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 21858672b..f9acc24ad 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/testing/do-tests b/testing/do-tests
index 979cb487f..becb7f181 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -373,6 +373,15 @@ do
 	    done
 	fi
 
+	##########################################################################
+	# flush conntrack table on all hosts
+	#
+
+	for host in $STRONGSWANHOSTS
+	do
+		ssh $SSHCONF root@`eval echo \\\$ipv4_$host` 'conntrack -F' >/dev/null 2>&1
+	done
+
 
 	##########################################################################
 	# execute pre-test commands
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 728c18c12..5958a1347 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -37,3 +37,4 @@ V	161015124507Z		24	unknown	/C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongsw
 V	161015124759Z		25	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	161015125030Z		26	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
 V	170314064200Z		27	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
+R	190321135622Z	140322135700Z,CACompromise	28	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index b9ab05a4f..a6d5a0828 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -36,3 +36,5 @@ V	151119165922Z		23	unknown	/C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=m
 V	161015124507Z		24	unknown	/C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
 V	161015124759Z		25	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	161015125030Z		26	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
+V	170314064200Z		27	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
+V	190321135622Z		28	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/28.pem b/testing/hosts/winnetou/etc/openssl/newcerts/28.pem
new file mode 100644
index 000000000..4d9fed09a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/28.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MDMyMjEzNTYyMloXDTE5MDMyMTEzNTYyMlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAKHj4oUmSaG9u3QC
+wjbETgexmKo6EViRjaf++QlK54ILHmPHCkN6Smzr5xpmi7P/FnBLqMlfMIQ3DCD7
+Fof/8SqaE/V9cP7TXK6c5vZHLoVU/NZW1A/HucMHSxd1DEiTfmrz8Q9RNb/r5adZ
+Epbje7IRlufhpDD2hDNs1FyjmY9V9G4VfOBA/JBWlgs+A810uidNVD+YEFxDlIZG
+6Kr0d5/WZowOUX7G8LUaa5kjoCS7MJONeEX2D/wtsx7Zw3f7GjFDdJfdi+CbAwBN
+d8kt2l7yt7oEW9AfOcMQ7+HZOqihNrV8mCErk39p9f6zcZtYHnjM5fJlNRmc+EXC
+mk13kTA=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
index 77f5bde52..dd6ed8e4b 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
 IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
-Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT
 AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
 bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
 ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
@@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
 mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
 DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
 UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
-4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
-BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
-rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
-GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
-FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
-BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
-9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
-zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
-14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
-lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
-1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G
+A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ
+bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y
+aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD
+VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD
+CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret
+YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l
+Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS
+fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ
+T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE
+FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA==
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index a614ff640..3939efc98 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -165,10 +165,12 @@ crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan.crl
 
 [ ca_ext ]
 
-basicConstraints               	= critical, CA:TRUE, pathlen:1
+basicConstraints               	= critical, CA:TRUE #, pathlen:1
 keyUsage                        = cRLSign, keyCertSign
 subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid, issuer:always
+#subjectAltName                  = DNS:$ENV::COMMON_NAME
+#extendedKeyUsage               = OCSPSigning
 
 ####################################################################
 
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 844e001c7..0565c768e 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -1,7 +1,9 @@
 R	100322070423Z	100407091025Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 R	100615195710Z	100703145747Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
-V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
-V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
+R	120323210330Z	140324140605Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+R	140323203747Z	140324142334Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
 V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
 V	150406092057Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	150702151839Z		07	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	190323140633Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+V	190323142352Z		09	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 3ebf4b191..8a0231b05 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -1,6 +1,8 @@
 R	100322070423Z	100407091025Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 R	100615195710Z	100703145747Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
-V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
-V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
+R	120323210330Z	140324140605Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+R	140323203747Z	140324142334Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
 V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
 V	150406092057Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	150702151839Z		07	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	190323140633Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem
new file mode 100644
index 000000000..8f7b7cc85
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEaDCCA1CgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MDYzM1oXDTE5MDMyMzE0MDYz
+M1oweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
+BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT
+HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6Jq9DciPtR5iC73URlc9qcqFl+QGeRDxDLCtnLqFjkuWv
+0ul17qZH0iMwxbbRU1UZo2bANNwAmWxBcT6VNf84V9Dj9m9UwUTSfegrkN2RVBEH
+cHm5higeJzC25C46S+VCTQkq8QxS2k34sA2sK6vys1XDgzwmDfT/GYyHf3nl0blR
+GkrotmgVAsweUVQ7a5ThcWVf4d06F3mN5xxGWNxgNoVxZ5Ki6a9dMuQRrNh54qje
+N1pulp0fZWxshWK0YrQSpPhKgz5kAflSnIwrdyjFdFS8WKpLOAkXV/NyZa6urUw7
+mz3owNCZJqCrYjC2JdTS3wUqRZhx1xyY2DO+laLJAgMBAAGjggEhMIIBHTAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU/cGV4/+zOIk30UYg1R87H7V9
+GAgwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCASAwJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
+bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo
+hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG
+9w0BAQsFAAOCAQEAWyIL5QjvpT0SC1BHVItXbq06D0DwOUFfei4lLyuDZLpFYrNX
+AujT6WqTdjki1Gx8GbOdz7YAoWVw61g9w8jKEwDg/UIKYGzjokXWzVg4v5eEakF+
++APmZRpk9ezBZgvKZ3k49OaRvtWjUSUy6aZU+vfsdd2oO3JKyonJY05y+cm0N0qT
+ytWMzX+Zig1NEArG2FnUTMPjudOCn0YiK41siFEaS9AHYXfsU3MhVer08PobmIKy
+cLfhoXF+xpn8+DCp8fcAEt7sJX2us71XmQBxSpfFW4FeGjcye11YU4QRBFDMP47f
+t5cybNEL+tLtcdJzPFxQlly0pc0w8BN4F6eY8w==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem
new file mode 100644
index 000000000..94bf123d2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID+DCCAuCgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MjM1MloXDTE5MDMyMzE0MjM1
+MlowYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
+BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXPVagzyvHEGzA
+6jWum0URx2TSMs8cM991OU3n8fkBiLEY9H8DUbjEZlZ0mgcxTOSXSmyqmW+10QCy
+yHPBtR0kxNY/Bl/+QppnB7IpFCR9bsvA4bySYUbdlQWdIPGTmT1polGtoF1mPZ2r
+JqN+Ai5jnFduJ+/189l8chqcz8KlJ2Jp72OaeYqQpgDfo63hqS71OzyY1Cu27vHl
+ay186P+HW75yr5YMwxtYk/rZ6jHRMXFwmI+bq1vgpKYHTomaVCG3zDUD+1XsGVBX
+u3z6qh6FaxxDPizT/fcCbYcYGbKjJw14JOqfddeAHZe+N41Wev0gAhOCIgUiMoxV
+bbx0XkMzAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFHtMZgnElcGoYKmMUvCkQaloTKKfMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
+zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
+b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEgMB8GA1UdEQQY
+MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCWS7T3
+Np88w0oHJAeMJUdfNGVSlhPFrtqnrNDqYleLEgY2XwJj6cxottILtvgJ+nbsT4uz
+bp5Qk4pygNG3wESt0avGptgSs0Pued/CdHMyyFTrFw/RN7113eTHShDfTtnS0dhh
+6AkI2lxFcNwrGMGh2CqdOyApDYqdm5qayk2CSKnoWOvEL1+SLyfy+XIYCFkarfbv
+ZTCWeO/R8doQVZ+H2gW6NloYJVkUpfMHCqTpd9psAK+hvc/R+6eP03wmhAb8S4mK
+OGdb8VOT7CAaL8f37vrDvj08nOG32j24/JOyrtS7vuAhP2QmDDF15XucygtgskRB
+iQNoCoi+dBX92ol4
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
index 279b4191d..8f7b7cc85 100644
--- a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIEaDCCA1CgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz
-MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MDYzM1oXDTE5MDMyMzE0MDYz
+M1oweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
 BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT
 HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2
-ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA
-TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs
-qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo
-h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io
-HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV
-HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw
-5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
+A4IBDwAwggEKAoIBAQC6Jq9DciPtR5iC73URlc9qcqFl+QGeRDxDLCtnLqFjkuWv
+0ul17qZH0iMwxbbRU1UZo2bANNwAmWxBcT6VNf84V9Dj9m9UwUTSfegrkN2RVBEH
+cHm5higeJzC25C46S+VCTQkq8QxS2k34sA2sK6vys1XDgzwmDfT/GYyHf3nl0blR
+GkrotmgVAsweUVQ7a5ThcWVf4d06F3mN5xxGWNxgNoVxZ5Ki6a9dMuQRrNh54qje
+N1pulp0fZWxshWK0YrQSpPhKgz5kAflSnIwrdyjFdFS8WKpLOAkXV/NyZa6urUw7
+mz3owNCZJqCrYjC2JdTS3wUqRZhx1xyY2DO+laLJAgMBAAGjggEhMIIBHTAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU/cGV4/+zOIk30UYg1R87H7V9
+GAgwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
+bmdTd2FuIFJvb3QgQ0GCASAwJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
 bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo
 hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG
-9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn
-l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D
-4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78
-d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj
-1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r
-qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA==
+9w0BAQsFAAOCAQEAWyIL5QjvpT0SC1BHVItXbq06D0DwOUFfei4lLyuDZLpFYrNX
+AujT6WqTdjki1Gx8GbOdz7YAoWVw61g9w8jKEwDg/UIKYGzjokXWzVg4v5eEakF+
++APmZRpk9ezBZgvKZ3k49OaRvtWjUSUy6aZU+vfsdd2oO3JKyonJY05y+cm0N0qT
+ytWMzX+Zig1NEArG2FnUTMPjudOCn0YiK41siFEaS9AHYXfsU3MhVer08PobmIKy
+cLfhoXF+xpn8+DCp8fcAEt7sJX2us71XmQBxSpfFW4FeGjcye11YU4QRBFDMP47f
+t5cybNEL+tLtcdJzPFxQlly0pc0w8BN4F6eY8w==
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
index adbfe0f92..1355fc3c6 100644
--- a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArl39cBowZOcLYX8iXDYGLublXSvX6ge5OULMMu+jNiY2dhAr
-/CWTLxgwvXIisBKi90JDfhPdEbrHQqoGmwJditwL20eFTqWgnct9aXT2in0VwE2s
-yB9BhvE/wSJlk7sHhbdF5rApeuUoaFbpdAx1k5YuIzgIByI+nqGJUKUSOgm2bKnX
-BmSUVs2TD2vOkN4tpygLDoloe44NOLixbFrvtrgWJrD0myqmXu+hWOZvj4AMKIdG
-xSSPasuGq8rzWYhU9frd4Xf8Lf2V56mF+FrGXBpTzpSmaIg5Zl81NStWGO9YqB1I
-h+0DmAWGPvPjHOZMLf66KWBG3y3wBDQu1lfvLQIDAQABAoIBAEx5LnknE0h9yJEH
-GEPG8elKHRhC7VxX7NV/RV2lmjhahBI9v3zD4gyKmH3N/Aaq9cxpxH4cKh3nhBLp
-zSHY5LvNDGossPuwSoRKRgOlZ6ePeqWvq3LNuoh7cFG9Sz2CjqcHnWGyq06aCKHS
-VGswN7T17eBGZ8bxLvOVt0qmSxsmg2A2tmZQCAhc6IkEe3L4sqtS4N1y+8J1GSuu
-KlIuT9NtReDiXXQNxr48QJeddj6RE+5xgInUEUGPUrOnv+lllxN42u0Yrqnnci7M
-SNuxiCkYmvUm47zem3mUKrTJnr4uyKSVnzY5wKcbjebnjlaJmWefM6L7wTKYGbbF
-KsXXwOUCgYEA5cXCD09Oeb888dwgvOaVgZqfJaCex2wZ2Wgu8dm3y2YcrNHbrj13
-PU+1fBp29AE4cNowUitL0rHPE232WyKPCsvEt4H/ioucWvXUc9rzNlo+2H4J6ZMI
-4GQp2WXQZeqEAAI35qdcRwIDMRJdsDlg9fAwKAGJAYLhL4fZewmPb8cCgYEAwkU3
-ynMCj1XMvZzhPNS9bACD1euSLTopdAzlASX9bVnDGJ5/KeWl2PqJjrmV3LCjX/4t
-WnGsP5bgv6IGVRpTcjeJSebF2kEA/pwYEZJezwh304JUqsqg4K4QF1ra5v3Wp06e
-Y+sMdUphzTQFAvGzWTSQweSVlXHgrW+VWxdIEWsCgYApwL7b01h6TSMA/DRCv0/p
-pjRHPSG9MUqdNA5bymlYn6yURuo5hlfVn1dmPtTg0Bv2fd+L/uwfVEpByJicxPHj
-T1Xm1sud3HLEIKnDh8TsWofTBUw90ocpZ2onZBXzfyMPcVfBJSZijN4Rm7nEnRie
-eE/35ReFW8gZwADoF7ul3wKBgELkXo+BBnKgUn0/lXbCse6MRtjT4mNcUYW6IuhA
-UoDilYDWomakwnRx4Aea83UoBTk6ZhdsaKkEpKKXgaKwC+eaI9Wkdp/uHg+NY+Q5
-CBg1jDzx9YFRgA+dH8FK8XD0GoNFWNiCyKliUUa9ELSw0NZ4eReqQ69PpNNTRpQ0
-8gW9AoGBAIUpz52BrP0XcIEE+f9ONKGJq+cr1cRXDZlgHBE90GA/b5hfMiAmvaGm
-SVdBXfUzIwEv6fHRqFjXsGqRI1qD6my69khnoObu3H+DR4Dsk/3iwxDMEpK63dfM
-p2fp/wc8G/s/5YVQeAOW0NpPY7qyGDoXN5UcHfLjJw23gbkUJD58
+MIIEowIBAAKCAQEAuiavQ3Ij7UeYgu91EZXPanKhZfkBnkQ8QywrZy6hY5Llr9Lp
+de6mR9IjMMW20VNVGaNmwDTcAJlsQXE+lTX/OFfQ4/ZvVMFE0n3oK5DdkVQRB3B5
+uYYoHicwtuQuOkvlQk0JKvEMUtpN+LANrCur8rNVw4M8Jg30/xmMh3955dG5URpK
+6LZoFQLMHlFUO2uU4XFlX+HdOhd5jeccRljcYDaFcWeSoumvXTLkEazYeeKo3jda
+bpadH2VsbIVitGK0EqT4SoM+ZAH5UpyMK3coxXRUvFiqSzgJF1fzcmWurq1MO5s9
+6MDQmSagq2IwtiXU0t8FKkWYcdccmNgzvpWiyQIDAQABAoIBAQCqbIBI31bFBac7
+OL+VOfKLIidhlHdGznHdjbKu5KIc54AhWJckwTi6yEgvftPBEOn4bwDDN6GzasMR
+pvwE30qp6rvz+Mo0bjzz+RF10UsIok504SSQFaLk+DxBNOaduJ5L9PtPtR/zOqnn
+5EagOdtSd50tQhjvPhfu9RUTeEHBhJDILUIZeJ4pCkM6/+agsgnDP2/4PucCXHkD
+8k6FLw2eoYMY3e9UKuiWUGXiCVopIZmZcG33ipQ3VFUzrP9JmE7ji4/p40VfShvV
+/fKWPEGe11IOQf8VJfcTYjluCbq8+UkIO4HgZxa36sxtYTjC+4MR9MDfMNIM+GzH
+mh+qd84BAoGBANx2v3tCY0zVAkqhoilOTYAixeTJjzsFRjR/9XkxfkrGJt8kl7jk
+s3hl4VUlblT1FWytk2vN8mE2MfT73mie0TpsNCefrWN9Xd9Yi7xjpJDfyMs8spD4
+8snmLK5euFNMNqbu9tyi2sfUR41FBi8kUzA7WAMx+M/pHUug6i/Xn4XlAoGBANgo
+DPF7M+BCsls8OibT49+K4nF3rQWY4axojcCb5UZQRMDysg0ji0nwYqQktDjBk74w
+3uIITVlB6UaG5dZ9O6C3ZP1+yi9Egoj6XYG74YKebgZnH7F1EKEdZnh7BPlTOQsl
+kv9Ccm2r4RrxSsbXpDIel/54s8rdVPHfdfiv1psVAoGAMIWSLza1VDutfW+FmUG6
+nPEKTQhvlbXbdcKT7FCQUzS5aXNMUU1EksMZjPvoBJrMVFb/k0KIjgy3ggvNL4mE
+0y7ta6shJjx5ZKbAWn4zwg7+ynxZcL7Z8MXQH7CJMQwdGzCM9JKDRGfcN6NxcP61
+sG/fNxTQhjHwWKzZ3h2+5mECgYBd254rKO0QnsVlWlSB0ZXr1hmXXXjSqlyriUar
+8MVwb6A7C+cGT33G4EtkrM9Yqa1mc0AEc8hqTnVle2PHa999XMTMUcanGZ94rQX3
+NEaqefKacyLO4l8TJnn9LKWvQVTOo0Ud85NOTcjT8xweFTqlzKUBCRZAqzScRgSq
+tGeCNQKBgE9nGL9anLDb7CD05ya0L3mW0cIkPz42NKCNI7zCs17ujABII6BpDXK1
+ApiZf3JxoTlp8czTvS6hqBZhicd6WxFqSBRhC8nOuq5YKPBPRQssayirzJiEi/JV
+qEZzKbKKRUl33ESWI8ltWz/hg/WE0gSQyJVpyPo3IOI22a+KHvNe
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index adb9de8ee..d9bb888f8 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-08
+0A
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 2c7456e3e..86397e5c1 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-07
+09
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
index 314acd784..36b24a619 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -1,6 +1,8 @@
 R	100322071017Z	100407093948Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
 R	100615195536Z	100703150410Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
-V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
-V	140323211053Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
+R	120323211811Z	140324141327Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+R	140323211053Z	140324141726Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
 V	150406094241Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
 V	150702152829Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	190323141524Z		07	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+V	190323152702Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
index fd5485026..1db0072db 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
@@ -1,5 +1,7 @@
 R	100322071017Z	100407093948Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
-R	100615195536Z	100703150410Z	02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
-V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
-V	140323211053Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
+R	100615195536Z	100703150410Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R	120323211811Z	140324141327Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+R	140323211053Z	140324141726Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
 V	150406094241Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
+V	150702152829Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	190323141524Z		07	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem
new file mode 100644
index 000000000..bd7eb729d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVjCCAz6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE0MTUyNFoXDTE5MDMyMzE0MTUyNFowczEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT
+HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs
+ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6zwcVirVu3/hsJRQY19GOO9Rw1BbCGd3t+dSYfkCFFt3l4JeAwAvPlXB1fbfT
+vCJryl/xIcfgq58ZIgqjC0tEOKaVYa0ySvdlmI7HdqTWrFx5dqQpsSiU14U8xb5U
+QAr9ha0AhRc5et2evsdg4bFNwlbOdrcKfQ82F+gRUi6v4n4PLLKDhH//L+PmUNBn
+CTkmVcDVxlRkTvjwKhWpSbh99lFRhR2BuB91frCGXuZUnyue0FOXQrFLeY1bgzJa
+hC+pvAMfx7P0XY/3V+H+vMlJOfYM2e2+np9Ca4l6mpmA3dvuiDHNe8xGl48EKT5m
+iY3wk3wluBl5vEzz1UBp7i4RAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIDqDAdBgNVHQ4EFgQUUHRhgpplj7IuGGKeMOaU0UEKTcEwbQYDVR0jBGYw
+ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCASEwJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
+HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiFNm9XwY
+u21dMTYWGT480c/ijzeBhV+eT0im5kifb3V+tW0ZpWiTDumqfplFeamNReXpkVkJ
+G8Tfsejc1A2CTmiKe4FPEl+Ukm2lCpIvY1TjO7nGN8TJUF0DPKU5GjijbIKbQben
+utQBMEtuuLJnZpSEk60YhamPvUWWkoKXKEwyHPHK6KozrLj1E/j/wk0sFNaNOijr
+DKe+Hb57x4Sta5WlXqFxeBviwnnAS895UAGlM+vGU4hxw1LNs0HfS0TRoKhk+Cmt
+N8rYAvzn4ziXNqa3A7FtuVviyXjY7eQEaIVA70795xmyVqQJTgkECBnD2Bk7qBUI
+kuR4vkO8gStiKA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem
new file mode 100644
index 000000000..c464df579
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE1MjcwMloXDTE5MDMyMzE1MjcwMlowXTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT
+DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7tkn1sXzlBRzSVHoPoct2D0kht
+E/Tf+LnryMsw79IBMfiOU61ijdwx2jCLxUh7t90NEIN4CdpIYqzc/1Yi/LWXD9+G
+8gBwft5nqTIz8S8Lf6Qiy4LjGXV3VWpDMZLLRJL5ZWm+0ZN8Wtp9qglVh4LnQSiy
++NYTlxnRtPB7xkwia287wn4aQfNJpNhlocXdSpGIF5bNIQm32n84SDMafXtuA+vv
+8/72nBiy2SWhkAd+CiNq5dnZkYGnIFL718V6Zu4kmZQhzM3gi/7POZCkOCeSZVeh
+AJJf1mJI7SJH54XYkZLUS5EG6ad3kBf1nFGRAjPgwxQHhfUlP8njpjsV7WUCAwEA
+AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSYfvgn
+nLJ1nMbHDd2zdo60Qpy0HDBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
+KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZl
+QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0
+cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQELBQADggEB
+AK3d7gR8IpPu03rV/RnOx4seoZAgm6//nCvP2ceFrEy4tbihnJ+QDvwrgKb/UvwK
+yERLXh/X7WhDyLSyVrbQq/Jj4xEOB5PMSItpmiDHYGX+YaiymZT3VsTJah1zqxSe
+amqHhrlW2U+UDqz/7vFClknSO6tn1vbNo4miYiVALGtRSMhFhVZsXfnA9+VKLdua
+vvdeueRCDg7aXPfAU0MAdcJIYoegJRnLZsJ4IfE/OWvMFnR1w4NmhIHhNT8T/ib0
+3pi2cp6JeSOcZ1Upd2napUoGd2U4XfNE15XGCdoVRazA1STWhfHwu/aBUnINpk0M
+zqpIrvuM6lklZb8gUl4pPwc=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
index ce2ff7b9d..bd7eb729d 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEVjCCAz6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE0MTUyNFoXDTE5MDMyMzE0MTUyNFowczEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT
 HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs
 ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV
-AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9
-K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO
-yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8
-N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT
-oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
-DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw
+AQC6zwcVirVu3/hsJRQY19GOO9Rw1BbCGd3t+dSYfkCFFt3l4JeAwAvPlXB1fbfT
+vCJryl/xIcfgq58ZIgqjC0tEOKaVYa0ySvdlmI7HdqTWrFx5dqQpsSiU14U8xb5U
+QAr9ha0AhRc5et2evsdg4bFNwlbOdrcKfQ82F+gRUi6v4n4PLLKDhH//L+PmUNBn
+CTkmVcDVxlRkTvjwKhWpSbh99lFRhR2BuB91frCGXuZUnyue0FOXQrFLeY1bgzJa
+hC+pvAMfx7P0XY/3V+H+vMlJOfYM2e2+np9Ca4l6mpmA3dvuiDHNe8xGl48EKT5m
+iY3wk3wluBl5vEzz1UBp7i4RAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIDqDAdBgNVHQ4EFgQUUHRhgpplj7IuGGKeMOaU0UEKTcEwbQYDVR0jBGYw
 ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
 VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
+Q0GCASEwJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
 HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0
-cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8
-DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3
-csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg
-pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH
-XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl
-is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH
-kiJdzc42Apd8uw==
+cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiFNm9XwY
+u21dMTYWGT480c/ijzeBhV+eT0im5kifb3V+tW0ZpWiTDumqfplFeamNReXpkVkJ
+G8Tfsejc1A2CTmiKe4FPEl+Ukm2lCpIvY1TjO7nGN8TJUF0DPKU5GjijbIKbQben
+utQBMEtuuLJnZpSEk60YhamPvUWWkoKXKEwyHPHK6KozrLj1E/j/wk0sFNaNOijr
+DKe+Hb57x4Sta5WlXqFxeBviwnnAS895UAGlM+vGU4hxw1LNs0HfS0TRoKhk+Cmt
+N8rYAvzn4ziXNqa3A7FtuVviyXjY7eQEaIVA70795xmyVqQJTgkECBnD2Bk7qBUI
+kuR4vkO8gStiKA==
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
index 5d10a3467..288aecb08 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAxoAdtFk8xFVDRg1P4sMTf3sm5mAENq1MrcaMilB6DfEO7QE4
-O28B9x6zHXOSVQAOLolhXazcOxhrvkCVa2Ivu43be+n33HJOnkIy5plbBqeE9elP
-dNGcxYesy54bPSv0sPMohjEHGJ3G5Uk+Epd2Hel3YmP32R7HLGxY8VaTxscHm2Tz
-4q7pHlgxS1MFTsnOQO6XajZb5n8ubYjuQ7PIUDEMlaqZpQ2ME0M98mUtvl+CJ/Bq
-4LwZ1Gf3rRs6vDft9PcF/4Nlr3CmA6Vi6rtysZMC/kE02ISDOjb0F7Txgn9zOcgb
-aDaj84CKl73rk6DMCcBfrg2XXQVowHiNRvifAQIDAQABAoIBAQCUOZL02zYfPbPw
-mXwvzo++wA16NfSvh5UcpojHt/SMeJc2r5R3/Rqwl8IUmfqJcnMkmP2V38DMeB3s
-gXmSKE2QdguRalLl0I2Ya8Jqo9VvEKSepMvqZaP1dKy5l6SrdylPASQfoHi2Dws4
-qAqsA2H2UCIP3Kp0/SCpsXZxML9EzIWtYtvrqJ0p0EI9ZzEn5uFok91qTYqD9c3T
-v142OyfmHlwICLy7UlFkmawrV4PIIP2RGTRgr2b16Vis7mAkRC7blsFXUEBb8hwE
-SmISdZYXc+NCesonXYGeRhln8PPLI3/T+HHH8G2eFhyQISHgE0CbjK+zvFcAddvD
-BbeceDPhAoGBAOkXwIklHvzSj4QoCi572QNkNIkxlIa6PL3I2ygJczeB1vj9kvVc
-CV2onhvBL3FGy0BJrQI7UBySW59/GdSs+WJFQWlIwI9QglDS8itAQK6+9zeyg69U
-NbGw784NGn5cP3F4P3QCGEUg5Oj8t0iE8gKbljz6rlSjO5uhXYOYf0rtAoGBANoC
-E0noRtG4QloEbIiHjLbnNAjabOO9KNm9FLZZFnGvTHQ1690i+GBOXC/cbP3jo6tz
-07+Ob/+IKhXhEj9opGu8ZvEfarHmBEWxj6TdvFmlaHEcEFD0LqGu5ssSfW3S3AEB
-Z3rBLkEeJYUYQqCU+vgZHEbrLWeBt33AIeB1nN3lAoGAL0LJnwUPy2NGBh24MsSZ
-s75ViJus6cRJHJHlHbEM02xYEhQX//exTnQp2qbI38bi3x4RHiq4i5KBUU2MBzsr
-NWmlYZuGr4g7Y/fhcjOM6eF+bqSbXqlMWcLuXHD7tjMuCeu/sd3a3elVgIf9AY8z
-IqQ5ShPp1O9j3qJRO6Vn6eECgYBIu9KFoOonxArXD4zKTDcFOsPghEc5//0mD/Be
-GgDj8vFWADtt7uHg96PIEAmI9y6+4Ajwauww29P2sr2szBO3IgdSQQIO0kfwnJnp
-DlVtr0LWId/LsnvwU3MKo2OXhXcDGt3UValB7nXkHsDz5GCK743Al2vxkZSPbs+e
-nH62hQKBgQC8AouEwXXXQD8+MnW+qcIbaAzVMirc94sI3fQH1AnfiZHH6aMCOh/4
-xoh/RzylotQlOk1xjCOB4O/Hhd+MAnlH9ZawCnRdvB/4usxd4j2AYr0Np7Q+VUyx
-EFejvkdm20j1dh29jfSbiXHd2RCoFimX0Dr3weiRqffqi9aV2tdqLQ==
+MIIEowIBAAKCAQEAus8HFYq1bt/4bCUUGNfRjjvUcNQWwhnd7fnUmH5AhRbd5eCX
+gMALz5VwdX2307wia8pf8SHH4KufGSIKowtLRDimlWGtMkr3ZZiOx3ak1qxceXak
+KbEolNeFPMW+VEAK/YWtAIUXOXrdnr7HYOGxTcJWzna3Cn0PNhfoEVIur+J+Dyyy
+g4R//y/j5lDQZwk5JlXA1cZUZE748CoVqUm4ffZRUYUdgbgfdX6whl7mVJ8rntBT
+l0KxS3mNW4MyWoQvqbwDH8ez9F2P91fh/rzJSTn2DNntvp6fQmuJepqZgN3b7ogx
+zXvMRpePBCk+ZomN8JN8JbgZebxM89VAae4uEQIDAQABAoIBAB8kFe08Y0RpZ7M3
+dyMxDwjj5mUspeKTh1B9fjgxi7Xj+vewOfFHknB3W/jqDTPpv98yLE45MGW+llYN
+O7K0Vka4HuT2FHY20wkHpn2PxKjYsM26vmEI3Ff7mYVo/XJz/qEGoLFefmGhnsIw
+0XHQDcuFowzl81t3P4rn71K73XaKRUjS8EMnuyqN2vKIsOyoexslRRfab01Iypb1
+IIpWgL4ZGy1KSaymT+F6KfblAR3W6txsHyLKz39YzwMAVC5tL1zFlWMr2oUkjCn5
+DphKGSF/rUOLN82VwXj3+vKdp+8FG7KyxS5yI208srwuHi3PiPNZj8Mjo2rqZ7Aq
+iT+MDrECgYEA3XjNNSBg0aJMv894K3eQTFG879iByQBHv5zIuuaJwRPTAAkKAcBe
+XEZyvf72CAzkQJdUGkxhaNPI2S9+euzitlGwTp4XWC6/N1pZWVWpu4daiihBgw1j
+hsOpvnJCR0SCSWQXTF+G4cJ6L8JF4nECfRpmZKRkY/pfWg5x2VqlLj0CgYEA1+7H
+UTD+dng7hD9Amn/yl5d/5utUW5hTzeTDGm16Xrzhszi/Lj62/OcnnF3FVSgqcLoi
+jti32P7XeeZYe8BcwF5rrk1/xEfs0HtRDL3Fw3ZatJNL+MqkWmTOftbvZq0vJqmA
+Y03Gwc4Wk8u+s88m4Yd0Uu/fQoZTochlpHNtsGUCgYAKXwbVDxAZoQ0RCmkpN+8k
+88ryPGRPgljZy0DHJ9aZmREPdlzmmhiRH6dt6EujMt9ZevywQpVpMEm+ie/VV9SC
+Dy8/bz3OnlnMAMogWdeZ9Yuy3pG6zlyzyePgDD+4UKf9Qdepduu9FLteEy3snbgt
+HZhf7CbbW7UtZXHFaO5FTQKBgEMucSjbm2/0fF/q5giroihz5EFOGlLdE8XNVL5W
+LWpoTbhbAXA75ubMbFCEBC84bevgnXvgBWMn9pZgiksGUFUxi0MRrZy92/oJQ/A4
+4tyraBEietKPCY9uKajg6l8BptfaiK1ct2f43KFjFJQQ8UHdyN088DNcY4zEMot1
+tjzZAoGBAMtLZ5chaulGceF9B4EOFlAfZ73Wnd3okLkmVNr1pV2m4JM43lMtyBVk
+lsrzNDyj7mqpdbdTk9L93SMzuN710+uV8m3Km+nszW0OkzLshR6QUrn8guXFu6a7
+B2bbVtgUDGt+mMuwrgVFPLStmNAUfbIAFp03+sQxD29Oy0Dvv3xv
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index 0e3a45292..8511c5452 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -157,6 +157,7 @@ subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
 subjectAltName                  = email:$ENV::COMMON_NAME 
 crlDistributionPoints          	= URI:http://crl.strongswan.org/sales.crl
+#authorityInfoAccess             = OCSP;URI:http://ocsp2.strongswan.org:8882
 
 ####################################################################
 
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial
index 2c7456e3e..86397e5c1 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial
@@ -1 +1 @@
-07
+09
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old
index cd672a533..adb9de8ee 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old
@@ -1 +1 @@
-06
+08
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 9902f1784..f04c001f3 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-28
+29
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index f64f5d8d8..9902f1784 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-27
+28
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 438e6668a..c4142086f 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -76,6 +76,7 @@ CONFIG_OPTS = \
 	--enable-unbound \
 	--enable-ipseckey \
 	--enable-dnscert \
+	--enable-acert \
 	--enable-cmd \
 	--enable-libipsec \
 	--enable-kernel-libipsec \
diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
index e27685447..2d08b38bc 100644
--- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
index 3ddd02fe7..037d4348d 100644
--- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     required = yes
diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
index e27685447..2d08b38bc 100644
--- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
index 969a5f5aa..1dcaed4a3 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -3,8 +3,6 @@
 charon {
   load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
index 969a5f5aa..1dcaed4a3 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -3,8 +3,6 @@
 charon {
   load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
index 969a5f5aa..1dcaed4a3 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -3,8 +3,6 @@
 charon {
   load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
index 969a5f5aa..1dcaed4a3 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -3,8 +3,6 @@
 charon {
   load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 671d97342..2b4da7495 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 3ddd02fe7..037d4348d 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     required = yes
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 671d97342..2b4da7495 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat
index e4ffe8eef..867016dba 100644
--- a/testing/tests/ha/both-active/posttest.dat
+++ b/testing/tests/ha/both-active/posttest.dat
@@ -13,5 +13,3 @@ alice::ip addr del 10.1.0.5/16 dev eth0
 alice::ifdown eth1
 venus::ip route del default via 10.1.0.5 dev eth0
 venus::ip route add default via 10.1.0.1 dev eth0
-moon::conntrack -F
-alice::conntrack -F 
diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat
index 63d4f98e7..ec663e70d 100644
--- a/testing/tests/ikev1/double-nat-net/posttest.dat
+++ b/testing/tests/ikev1/double-nat-net/posttest.dat
@@ -4,6 +4,4 @@ alice::iptables-restore < /etc/iptables.flush
 bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
 sun::ip route del 10.1.0.0/16 via PH_IP_BOB
diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat
index aa806bfc9..f434b336c 100644
--- a/testing/tests/ikev1/double-nat/posttest.dat
+++ b/testing/tests/ikev1/double-nat/posttest.dat
@@ -4,5 +4,3 @@ alice::iptables-restore < /etc/iptables.flush
 bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat
index 4643a3a7b..bc7d23771 100644
--- a/testing/tests/ikev1/nat-rw/posttest.dat
+++ b/testing/tests/ikev1/nat-rw/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
 venus::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
index 11bd19da7..b9fbde7cb 100644
--- a/testing/tests/ikev1/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
@@ -2,5 +2,4 @@ moon::ipsec stop
 sun::ipsec stop
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
 moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
index eb0c28c7f..8945d87b9 100644
--- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
@@ -1,8 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
 moon::ipsec start
 sun::ipsec start
-moon::sleep 1 
+moon::sleep 1
 moon::ipsec up net-net
 moon::sleep 1
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
index 9caf4fa37..8cc4192c6 100644
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
@@ -4,8 +4,5 @@ charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 
   fragment_size = 1024
-}
-
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
index 9caf4fa37..8cc4192c6 100644
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
@@ -4,8 +4,5 @@ charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 
   fragment_size = 1024
-}
-
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index f4fd948fd..4de997a66 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+
   multiple_authentication = no
   send_vendor_id = yes
-}
 
-libstrongswan {
   plugins {
     ntru {
       parameter_set = optimum
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
index 238ec24b7..248642530 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
index 238ec24b7..248642530 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
index c032d8291..eb8b1400a 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
index c032d8291..eb8b1400a 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
index c032d8291..eb8b1400a 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
index 14e061408..38bfed070 100644
--- a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default unity
+  
   cisco_unity = yes
-}
-
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
index cbc51d38c..dbf1bee46 100644
--- a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
@@ -2,14 +2,13 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity
+
   cisco_unity = yes
+  dh_exponent_ansi_x9_42 = no
+
   plugins {
     attr {
       split-exclude = 192.168.0.0/24
     }
   }
 }
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 8822cae64..0792a3f52 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,11 +2,10 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
   integrity_test = yes
+
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 8822cae64..0792a3f52 100644
--- a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,10 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
   integrity_test = yes
+
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 8822cae64..0792a3f52 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,11 +2,10 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
   integrity_test = yes
+
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
index 1fb5d14b1..c08fab86e 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
index 1fb5d14b1..66054d0f9 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
-}
-
-libstrongswan {
+  
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
index 422538cec..02e7618d3 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
@@ -2,10 +2,8 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic attr kernel-netlink socket-default stroke updown
+
   dns1 = 192.168.0.150
   dns2 = 10.1.0.20
-}
-
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index 61260f891..f65197bef 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index 61260f891..f65197bef 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index 61260f891..f65197bef 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..e79fe2c92
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf
@@ -0,0 +1 @@
+# /etc/strongswan.conf - strongSwan configuration file
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
index e2e2164ae..ba37a47cf 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -2,6 +2,9 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-md5 xauth-eap updown
+
+  dh_exponent_ansi_x9_42 = no
+
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..e79fe2c92
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf
@@ -0,0 +1 @@
+# /etc/strongswan.conf - strongSwan configuration file
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
index 77266cfa0..7114a3fe4 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
@@ -2,6 +2,9 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown
+
+  dh_exponent_ansi_x9_42 = no
+
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
index 5cd9bf11e..ca3372f7d 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev2/acert-cached/description.txt b/testing/tests/ikev2/acert-cached/description.txt
new file mode 100644
index 000000000..42f7432bc
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/description.txt
@@ -0,0 +1,11 @@
+<p>The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+To authorize clients, <b>moon</b> uses locally cached attribute certificates.
+While for <b>carol</b> a valid attribute certificate for the group <i>sales</i>
+is available, <b>dave</b>'s attribute certificates are either expired or
+do not grant permissions for the <i>sales</i> group.</p>
+<p>Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> try
+to ping the client <b>alice</b> behind the gateway <b>moon</b>, but dave fails
+to do so.</p>
diff --git a/testing/tests/ikev2/acert-cached/evaltest.dat b/testing/tests/ikev2/acert-cached/evaltest.dat
new file mode 100644
index 000000000..682c55ce2
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::NO
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES
+dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO
diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e72f78742
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..65c9819bb
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..fbffbad62
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightgroups=sales
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cd836a2b7
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/acert-cached/posttest.dat b/testing/tests/ikev2/acert-cached/posttest.dat
new file mode 100644
index 000000000..e5b8d291c
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/posttest.dat
@@ -0,0 +1,11 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/acerts/carol-sales-finance.pem
+moon::rm /etc/ipsec.d/acerts/dave-sales-expired.pem
+moon::rm /etc/ipsec.d/acerts/dave-marketing.pem
+moon::rm /etc/ipsec.d/private/aa.pem
+moon::rm /etc/ipsec.d/aacerts/aa.pem
diff --git a/testing/tests/ikev2/acert-cached/pretest.dat b/testing/tests/ikev2/acert-cached/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/acert-cached/test.conf b/testing/tests/ikev2/acert-cached/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/acert-fallback/description.txt b/testing/tests/ikev2/acert-fallback/description.txt
new file mode 100644
index 000000000..0008b105a
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/description.txt
@@ -0,0 +1,12 @@
+<p>The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on <b>X.509 certificates</b>. To authorize clients,
+<b>moon</b> expects attribute certificates sent inline in IKEv2 CERT payloads.
+<b>Carol</b> has attribute certificates for both the <i>sales</i> and
+the <i>finance</i> groups. The attribute certificate for <i>finance</i> is not
+valid anymore, hence <b>carol</b> gets access to the <i>sales</i> connection
+only.</p>
+<p>Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> tries to ping both
+<b>alice</b> and <b>venus</b>, but only the ping for the <i>sales</i> related
+host <b>venus</b> succeeds.</p>
diff --git a/testing/tests/ikev2/acert-fallback/evaltest.dat b/testing/tests/ikev2/acert-fallback/evaltest.dat
new file mode 100644
index 000000000..985f3208e
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e72f78742
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..37e779fef
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn finance
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.10/32
+	leftfirewall=yes
+	right=%any
+	rightid=*@strongswan.org
+	rightgroups=finance
+	keyexchange=ikev2
+	auto=add
+
+conn sales
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.20/32
+	leftfirewall=yes
+	right=%any
+	rightgroups=sales
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cd836a2b7
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/acert-fallback/posttest.dat b/testing/tests/ikev2/acert-fallback/posttest.dat
new file mode 100644
index 000000000..2ccb86a41
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+carol::rm /etc/ipsec.d/acerts/carol-sales.pem
+carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem
+moon::rm /etc/ipsec.d/private/aa.pem
+moon::rm /etc/ipsec.d/aacerts/aa.pem
diff --git a/testing/tests/ikev2/acert-fallback/pretest.dat b/testing/tests/ikev2/acert-fallback/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/acert-fallback/test.conf b/testing/tests/ikev2/acert-fallback/test.conf
new file mode 100644
index 000000000..a6c21de09
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/acert-inline/description.txt b/testing/tests/ikev2/acert-inline/description.txt
new file mode 100644
index 000000000..948b84725
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/description.txt
@@ -0,0 +1,12 @@
+<p>The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+To authorize clients, <b>moon</b> expects attribute certificates sent inline in
+IKEv2 CERT payloads. <b>Carol</b> provides a valid attribute certificate for
+the group <i>sales</i>, but <b>dave</b> offers two invalid attribute
+certificates: One is not for the <i>sales</i> group, and the other is issued by
+an AA that has been expired.</p>
+<p>Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> try
+to ping the client <b>alice</b> behind the gateway <b>moon</b>, but dave fails
+to do so.</p>
diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat
new file mode 100644
index 000000000..ba448f81b
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::NO
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES
+carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES
+dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES
+dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=expired AA\"::YES
+dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO
diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e72f78742
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..65c9819bb
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e3abea51f
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightgroups="finance, sales"
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cd836a2b7
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/acert-inline/posttest.dat b/testing/tests/ikev2/acert-inline/posttest.dat
new file mode 100644
index 000000000..a0ef98440
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/posttest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::rm /etc/ipsec.d/acerts/carol-sales.pem
+dave::rm /etc/ipsec.d/acerts/dave-expired-aa.pem
+dave::rm /etc/ipsec.d/acerts/dave-marketing.pem
+moon::rm /etc/ipsec.d/private/aa-expired.pem
+moon::rm /etc/ipsec.d/private/aa.pem
+moon::rm /etc/ipsec.d/aacerts/aa-expired.pem
+moon::rm /etc/ipsec.d/aacerts/aa.pem
diff --git a/testing/tests/ikev2/acert-inline/pretest.dat b/testing/tests/ikev2/acert-inline/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/acert-inline/test.conf b/testing/tests/ikev2/acert-inline/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/compress-nat/posttest.dat b/testing/tests/ikev2/compress-nat/posttest.dat
index b8432a8f2..ddab5f9f9 100644
--- a/testing/tests/ikev2/compress-nat/posttest.dat
+++ b/testing/tests/ikev2/compress-nat/posttest.dat
@@ -5,6 +5,4 @@ alice::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 bob::iptables-restore < /etc/iptables.flush
 moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
-sun::conntrack -F
\ No newline at end of file
+sun::iptables-restore < /etc/iptables.flush
\ No newline at end of file
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index c393b298a..2ba42b67c 100644
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -2,10 +2,9 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-}
 
-libstrongswan {
+  multiple_authentication = no
+  
   x509 {
     enforce_critical = no
   }
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index 8e685c862..1e3d11819 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat
index 63d4f98e7..ec663e70d 100644
--- a/testing/tests/ikev2/double-nat-net/posttest.dat
+++ b/testing/tests/ikev2/double-nat-net/posttest.dat
@@ -4,6 +4,4 @@ alice::iptables-restore < /etc/iptables.flush
 bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
 sun::ip route del 10.1.0.0/16 via PH_IP_BOB
diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat
index aa806bfc9..f434b336c 100644
--- a/testing/tests/ikev2/double-nat/posttest.dat
+++ b/testing/tests/ikev2/double-nat/posttest.dat
@@ -4,5 +4,3 @@ alice::iptables-restore < /etc/iptables.flush
 bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
index bad10ca43..73bbf6805 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 9c0bb5cae..150690e3c 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -10,7 +10,6 @@ carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
 moon::ip route del 10.3.0.0/16 via PH_IP_MOON
 moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
-moon::conntrack -F
 moon::ipsec pool --del extpool 2> /dev/null
 moon::ipsec pool --del intpool 2> /dev/null
 moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
index a3924b2f6..57449be25 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
@@ -4,6 +4,5 @@ moon::ipsec stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 alice::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
 moon::ipsec pool --del intpool 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
index 311e9f21d..2e78893e3 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
@@ -1,5 +1,4 @@
 alice::ip -6 route del default via fec1:\:1
 carol::ipsec stop
 moon::ipsec stop
-moon::conntrack -F
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
index bb20cae05..e46195cd3 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
@@ -1,4 +1,3 @@
 alice::ip -6 route del default via fec1:\:1
 carol::ipsec stop
 moon::ipsec stop
-moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index 2fbc2c3a0..7de2bc9be 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -4,5 +4,4 @@ moon::ipsec stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 alice::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat
index f4e5316c9..0754edeab 100644
--- a/testing/tests/ikev2/mobike-nat/posttest.dat
+++ b/testing/tests/ikev2/mobike-nat/posttest.dat
@@ -3,4 +3,3 @@ sun::ipsec stop
 alice::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
index 86ac6e7e0..fde195daa 100644
--- a/testing/tests/ikev2/mobike-nat/pretest.dat
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -1,7 +1,6 @@
 alice::ifup eth1
 alice::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index c380a5110..4d9fed09a 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
+b290IENBMB4XDTE0MDMyMjEzNTYyMloXDTE5MDMyMTEzNTYyMlowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
-LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
-6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
-T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
-9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
-cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
-YO2C4HE=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAKHj4oUmSaG9u3QC
+wjbETgexmKo6EViRjaf++QlK54ILHmPHCkN6Smzr5xpmi7P/FnBLqMlfMIQ3DCD7
+Fof/8SqaE/V9cP7TXK6c5vZHLoVU/NZW1A/HucMHSxd1DEiTfmrz8Q9RNb/r5adZ
+Epbje7IRlufhpDD2hDNs1FyjmY9V9G4VfOBA/JBWlgs+A810uidNVD+YEFxDlIZG
+6Kr0d5/WZowOUX7G8LUaa5kjoCS7MJONeEX2D/wtsx7Zw3f7GjFDdJfdi+CbAwBN
+d8kt2l7yt7oEW9AfOcMQ7+HZOqihNrV8mCErk39p9f6zcZtYHnjM5fJlNRmc+EXC
+mk13kTA=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat
index 72dff4e10..343fcc15b 100644
--- a/testing/tests/ikev2/nat-rw-mark/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat
@@ -6,7 +6,5 @@ alice::iptables-restore < /etc/iptables.flush
 venus::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
 moon::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
 sun::iptables-restore < /etc/iptables.flush
-sun::conntrack -F
 sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat
index 4643a3a7b..bc7d23771 100644
--- a/testing/tests/ikev2/nat-rw-psk/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
 venus::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat
index 4643a3a7b..bc7d23771 100644
--- a/testing/tests/ikev2/nat-rw/posttest.dat
+++ b/testing/tests/ikev2/nat-rw/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
 venus::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat
index f58e82adc..12676f7ac 100644
--- a/testing/tests/ikev2/nat-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -1,14 +1,13 @@
 alice::iptables-restore < /etc/iptables.rules
 venus::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
 venus::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up nat-t
-venus::sleep 2 
+venus::sleep 2
 venus::ipsec up nat-t
 venus::sleep 2
diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
index 11bd19da7..b9fbde7cb 100644
--- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
@@ -2,5 +2,4 @@ moon::ipsec stop
 sun::ipsec stop
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
 moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
index eb0c28c7f..8945d87b9 100644
--- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -1,8 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
 moon::ipsec start
 sun::ipsec start
-moon::sleep 1 
+moon::sleep 1
 moon::ipsec up net-net
 moon::sleep 1
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
index e9c79b333..d5ac37937 100644
--- a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
@@ -7,11 +7,6 @@ charon {
     dnscert {
       enable = yes
     }
-  }
-}
-
-libstrongswan {
-  plugins {
     unbound {
       # trust_anchors = /etc/ipsec.d/dnssec.keys
       # resolv_conf = /etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
index e9c79b333..d5ac37937 100644
--- a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
@@ -7,11 +7,6 @@ charon {
     dnscert {
       enable = yes
     }
-  }
-}
-
-libstrongswan {
-  plugins {
     unbound {
       # trust_anchors = /etc/ipsec.d/dnssec.keys
       # resolv_conf = /etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
index 44a54a9dd..58deb25f0 100644
--- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
@@ -7,11 +7,6 @@ charon {
     ipseckey {
       enable = yes
     }
-  }
-}
-
-libstrongswan {
-  plugins {
     unbound {
       # trust_anchors = /etc/ipsec.d/dnssec.keys
       # resolv_conf = /etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
index 44a54a9dd..58deb25f0 100644
--- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
@@ -7,11 +7,6 @@ charon {
     ipseckey {
       enable = yes
     }
-  }
-}
-
-libstrongswan {
-  plugins {
     unbound {
       # trust_anchors = /etc/ipsec.d/dnssec.keys
       # resolv_conf = /etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt b/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt
new file mode 100644
index 000000000..aab0c68c4
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt
@@ -0,0 +1,9 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The key exchange is based on NTRU encryption with a security strength of 128 bits.
+The ANSI X9.98 NTRU encryption parameter set used is optimized for bandwidth.
+<p/>
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat
new file mode 100644
index 000000000..69b5ef754
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..01d114dd9
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="ike 4, lib 4"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ntru128!
+	esp=aes128-sha256!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..17f6111fd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+
+  multiple_authentication = no
+  send_vendor_id = yes
+
+  plugins {
+    ntru {
+      parameter_set = x9_98_bandwidth 
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e57bec965
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="ike 4, lib 4"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ntru128!
+	esp=aes128-sha256!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..0d1855504
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+
+  multiple_authentication = no
+  send_vendor_id = yes
+
+  plugins {
+    ntru {
+      parameter_set = x9_98_bandwidth
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index f4fd948fd..4de997a66 100644
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+
   multiple_authentication = no
   send_vendor_id = yes
-}
 
-libstrongswan {
   plugins {
     ntru {
       parameter_set = optimum
diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat
index b0225c37e..5fca9501d 100644
--- a/testing/tests/ikev2/net2net-same-nets/posttest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat
@@ -4,4 +4,3 @@ moon::ipsec stop
 sun::ipsec stop
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
-sun::conntrack -F
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem
index 77f5bde52..dd6ed8e4b 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
 IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
-Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT
 AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
 bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
 ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
@@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
 mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
 DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
 UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
-4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
-BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
-rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
-GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
-FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
-BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
-9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
-zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
-14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
-lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
-1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G
+A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ
+bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y
+aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD
+VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD
+CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret
+YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l
+Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS
+fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ
+T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE
+FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem
index 77f5bde52..dd6ed8e4b 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
 IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
-Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT
 AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
 bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
 ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
@@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
 mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
 DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
 UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
-4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
-BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
-rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
-GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
-FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
-BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
-9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
-zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
-14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
-lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
-1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G
+A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ
+bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y
+aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD
+VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD
+CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret
+YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l
+Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS
+fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ
+T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE
+FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
index c41a668f0..baeccb357 100644
--- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
@@ -1,6 +1,10 @@
 moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.*strongswan.org::YES
 carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
 dave:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
+dave:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
 moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
 dave:: cat /var/log/daemon.log::certificate status is good::YES
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index a2ce5ad93..a6ae74fe3 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,5 +1,5 @@
 moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
-moon:: cat /var/log/daemon.log::ocsp response verification failed::YES
+moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer::YES
 moon:: cat /var/log/daemon.log::certificate status is not available::YES
 moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
index f586a9414..94bf123d2 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIID+DCCAuCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIID+DCCAuCgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MDMyNDIwMzc0N1oXDTE0MDMyMzIwMzc0
-N1owYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MjM1MloXDTE5MDMyMzE0MjM1
+MlowYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
 BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPqE4le5QodSA+
-NXnQ1IFI0XWcBDDwQDNcQ6qMScSCaboPFCLrlC9E70J2eGeX2v/UDTQpEOxQ4fGX
-Efk0/MdJjnWGAO95jEInNJ+DuexfrP5REiryKDfryA0d6xiQb/a2M7UuDgxPgyZf
-VyvU7SHebue4317v5NyGJeRnkN3/onNpdjpWu9Le9DqenBQ2SITgo7NsVsNsqhnT
-1jg2jfxJ8OXzi7/6JvuxxweCoDxr+KeKIViFAqNlyufeyIvowdjHTlJRvN/9Wl+/
-jPiHmFcIyIc1o8EUHzM9AEIWtB2DeHL62e7LVJbjMXsLAkTggc3BkGE2cWFOBY0f
-J4R+AKWDAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
-BBYEFIuo2f3quxaDSQ4lj9zJcPYmmc8iMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXPVagzyvHEGzA
+6jWum0URx2TSMs8cM991OU3n8fkBiLEY9H8DUbjEZlZ0mgcxTOSXSmyqmW+10QCy
+yHPBtR0kxNY/Bl/+QppnB7IpFCR9bsvA4bySYUbdlQWdIPGTmT1polGtoF1mPZ2r
+JqN+Ai5jnFduJ+/189l8chqcz8KlJ2Jp72OaeYqQpgDfo63hqS71OzyY1Cu27vHl
+ay186P+HW75yr5YMwxtYk/rZ6jHRMXFwmI+bq1vgpKYHTomaVCG3zDUD+1XsGVBX
+u3z6qh6FaxxDPizT/fcCbYcYGbKjJw14JOqfddeAHZe+N41Wev0gAhOCIgUiMoxV
+bbx0XkMzAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFHtMZgnElcGoYKmMUvCkQaloTKKfMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
 zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
-b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEPMB8GA1UdEQQY
-MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQBiOKAx
-ePEwlga++nOpkfBg6ESag5/VWfnAp1zRpXHXnRak10OTtCPDjmJiDUzlKBwolwJN
-I6T3S7eg+M04E3r5IHn3i+HtQcENkq02YUPiUXS5cvLtzKMPIm8pYCj7/5pXxAek
-nHGRdBZkQiGDz49H9rPKxLdJDTLCXpj4l9uOFgsbiQ3k5SyWq5oMhtZsf4VKqAd+
-77Mbn9pnjjy53wLuzjaMVX+K5KKotPNeSHH/pWh9RqNROmf6F2B0nZhW5Aryxa9/
-24GRkZEPZ+cqhtwgVjq5aImzdSrARJQ1tu6lZqNB5b9klYSAi+al0FrvUFoG58Qt
-eWeiFXLvAtXTGoax
+b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEgMB8GA1UdEQQY
+MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCWS7T3
+Np88w0oHJAeMJUdfNGVSlhPFrtqnrNDqYleLEgY2XwJj6cxottILtvgJ+nbsT4uz
+bp5Qk4pygNG3wESt0avGptgSs0Pued/CdHMyyFTrFw/RN7113eTHShDfTtnS0dhh
+6AkI2lxFcNwrGMGh2CqdOyApDYqdm5qayk2CSKnoWOvEL1+SLyfy+XIYCFkarfbv
+ZTCWeO/R8doQVZ+H2gW6NloYJVkUpfMHCqTpd9psAK+hvc/R+6eP03wmhAb8S4mK
+OGdb8VOT7CAaL8f37vrDvj08nOG32j24/JOyrtS7vuAhP2QmDDF15XucygtgskRB
+iQNoCoi+dBX92ol4
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..f4b0af38c 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA1z1WoM8rxxBswOo1rptFEcdk0jLPHDPfdTlN5/H5AYixGPR/
+A1G4xGZWdJoHMUzkl0psqplvtdEAsshzwbUdJMTWPwZf/kKaZweyKRQkfW7LwOG8
+kmFG3ZUFnSDxk5k9aaJRraBdZj2dqyajfgIuY5xXbifv9fPZfHIanM/CpSdiae9j
+mnmKkKYA36Ot4aku9Ts8mNQrtu7x5WstfOj/h1u+cq+WDMMbWJP62eox0TFxcJiP
+m6tb4KSmB06JmlQht8w1A/tV7BlQV7t8+qoehWscQz4s0/33Am2HGBmyoycNeCTq
+n3XXgB2XvjeNVnr9IAITgiIFIjKMVW28dF5DMwIDAQABAoIBAQC44viRw8OgCAzT
+HZwlMzz+S5/gK0Lav/g38pRoI+M4HRm7DPI5gK5NDnc/S7vX7mwBRS3Y0Voy/Kgz
+6pn8j73MAsTieHBmsQF+dQ7l2GaL1GtzcLSRrLu5xLOAyHaayawGHCc7FKCGHXFd
+PiB8MhV0/Svg9K9cPy3XhxAzGQfi4kF9+a3+3NDWnV4kcQbW6s3ykGBF9xxqZu5K
+gbvDxNhZFrcv65SMBwghjdDldngtjMB3ZbiMRltobbvTRWHwqgd9V1qf2g3at1dZ
+z8ws8UFOhWgCsvT/W+2pPBCJFz0dvfJXCiaWbA4kCmHViJVIoxtdREj5EtmaSQtT
+cENSR0HRAoGBAO9jbCUy/dfqPvFowEfpDu1jBrGFoxL8UY8K8wr+NCjbusmbB7+a
+n5XLkrpyBGlNSYa1zP1eNpsLq+ee5XTwEbXMWDaOfMNlURNiHy9KfHnEZ4UVDKfa
+WW9skfS7adFxwkOxAOM7BynsIrcJ8OgBrP+gKTM4aKvZNRcfGfZAhaj5AoGBAOYs
+7c8z0M9JvN9RDpyXT51Rus24n2ApsupPwMeGZwoz45EJPzK9FUFq+x6abENFCGrp
+xQ4Sg8QSGSAL78j2jEo+d8qRGoUr7o8zJElfsx/ZvELR3cGgv8Aut7vwW6/SNKlz
+MTDiqaf9H9FEEwKV1hbauuJrS1VOMtMAbGG27KSLAoGBAKTozcg2f24tXVz6d3NS
+VskrraG/WN6sWRb8SP+qrI31CJD3rnfM8eDEU3kDMIzGBD+7n9JvA5j9ilfOO226
+L8kYUzCKKeKFOjvrHWZ7npJXvaSNIqHDJlc+6LE6JiR1hIkTN3RR5pZ3qFaFj6KT
+/PRABgHV+y1fPVaHQ2BDhJApAoGAU9PxGBFK7vNv8fTXWXhR6n2lht7CTIdjPaqm
+DwSH6lNTgbLYbWYno5eOtWqQGz+8/RL+TU2452Of+ufeAFaqaS+u+Ps3qWCClWyO
+vpo35lWqFrvQA4DD1P4utCepfLMVstDdDWy/VQr+13vvYHWpbtFiVqu01/CO2gHB
+dyTjslkCgYEAhsDsPqKdlh1DzVZudNUeMRaE2V6yG937Vf9VB/rNphm+gEwwmM3l
+/kfErgTcYzgjV/2csIVZxm9nk17A+ZnPUnIDW2keI1+eIPw/IEWceX+4adKwiv5h
+IL5HsD/O12ZD8Mi5mmkGgNVI4nN8TldxiHvh7tAxQQiMrv/AnHTiA8A=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
index cae8184f6..c464df579 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELTCCAxWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA5MDMyNDIxMTA1M1oXDTE0MDMyMzIxMTA1M1owXTEL
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE1MjcwMloXDTE5MDMyMzE1MjcwMlowXTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT
 DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqgEdIrRiLkrf0UfCB4xUyx/5cs
-Ka5h1MNBks2cKP6uABOL+jnlkRtyVFIOOCuNMgcK+873LC87UU32zapbe6Ph46aN
-5M9ADMA6PtVeNkJIetVSVtT9DUL5II4kJ/hJUjINbt7omAiDAIWDGKNmTCsR18Ua
-o1O/QFbiTT96fMFKX8EXiJgMt/5+vOWG0s1nGz6gn40R/2K52EvBmu5v0M3TX67c
-YQFgBqMNfvnk0jLy10pEHro1OjgiTTj1DQd55ydSKGa0JvMDT/GOQeR87zkshRLz
-bhxXOt4Ej2kkYbs9ILm7jKa9XfUYI58vCYLHwhGzpLZSsJ2xXkgfAAIFTI8CAwEA
-AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57r
-UdNRbytUkRGYGjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7tkn1sXzlBRzSVHoPoct2D0kht
+E/Tf+LnryMsw79IBMfiOU61ijdwx2jCLxUh7t90NEIN4CdpIYqzc/1Yi/LWXD9+G
+8gBwft5nqTIz8S8Lf6Qiy4LjGXV3VWpDMZLLRJL5ZWm+0ZN8Wtp9qglVh4LnQSiy
++NYTlxnRtPB7xkwia287wn4aQfNJpNhlocXdSpGIF5bNIQm32n84SDMafXtuA+vv
+8/72nBiy2SWhkAd+CiNq5dnZkYGnIFL718V6Zu4kmZQhzM3gi/7POZCkOCeSZVeh
+AJJf1mJI7SJH54XYkZLUS5EG6ad3kBf1nFGRAjPgwxQHhfUlP8njpjsV7WUCAwEA
+AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSYfvgn
+nLJ1nMbHDd2zdo60Qpy0HDBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
 KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
-GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZl
+GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZl
 QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0
-cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQEFBQADggEB
-ADn1ow4aGxckB4HsJQf1Z6LFpiCOExqhqcK/+fsFcl/WM3F0F+1TbEWzwFzDj3Yu
-5gH6DQ/c0Fp+WYCKAbZXdYoKHJDSZY0BsoD7Nglc1r+l1wFRv1UGF5DoYZPryHGA
-FkusMTUQMvWRRmN9PsURQ77DsmAtryKi5aDQ/rAiPIJK67bQ0HmvPAynO8IF2Fd9
-GpqFSc0gZni9NQszVUH33nuLlZP1hFC5MDeqhcqgmUL/GZbs7DZYThF4INBryfOg
-xFE73CpyNQHHmfT23TLsrFD5IXCp3z3oMtCtTphwUnCJrEzZ1H7mJ+xSJoJ3MOqd
-mNs1ygehz0a99cPoX1j/iwo=
+cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQELBQADggEB
+AK3d7gR8IpPu03rV/RnOx4seoZAgm6//nCvP2ceFrEy4tbihnJ+QDvwrgKb/UvwK
+yERLXh/X7WhDyLSyVrbQq/Jj4xEOB5PMSItpmiDHYGX+YaiymZT3VsTJah1zqxSe
+amqHhrlW2U+UDqz/7vFClknSO6tn1vbNo4miYiVALGtRSMhFhVZsXfnA9+VKLdua
+vvdeueRCDg7aXPfAU0MAdcJIYoegJRnLZsJ4IfE/OWvMFnR1w4NmhIHhNT8T/ib0
+3pi2cp6JeSOcZ1Upd2napUoGd2U4XfNE15XGCdoVRazA1STWhfHwu/aBUnINpk0M
+zqpIrvuM6lklZb8gUl4pPwc=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..e4054aee9 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEogIBAAKCAQEAzu2SfWxfOUFHNJUeg+hy3YPSSG0T9N/4uevIyzDv0gEx+I5T
+rWKN3DHaMIvFSHu33Q0Qg3gJ2khirNz/ViL8tZcP34byAHB+3mepMjPxLwt/pCLL
+guMZdXdVakMxkstEkvllab7Rk3xa2n2qCVWHgudBKLL41hOXGdG08HvGTCJrbzvC
+fhpB80mk2GWhxd1KkYgXls0hCbfafzhIMxp9e24D6+/z/vacGLLZJaGQB34KI2rl
+2dmRgacgUvvXxXpm7iSZlCHMzeCL/s85kKQ4J5JlV6EAkl/WYkjtIkfnhdiRktRL
+kQbpp3eQF/WcUZECM+DDFAeF9SU/yeOmOxXtZQIDAQABAoIBAHGuCqBk/RtTRW8Z
+zR3igdg4Jzoq0p/gu6BIbJNUWywgA/ftGQNT9WNW7+tjngpoDWafWscfFyqYQb19
+27jSl8qbJtlCJYkgRFKi2E0ARCv4QTNG+k75vG7QFFjAeWePzCiCYrhpYHGKC8+k
+4dkm579+lElrqVDSilxg3OqQ1SvVcBPn+ADsFBR30Z7xvxU2iJV+A+zw7tV9EQhU
+4t0zGny5lsxNSr57FbJDn5Y+aUoXo7okty2MAjL0jEXM5bwgOsgBYWQass1hhFRb
+EnGk+WJTZUs0o1+WPi+2hrNHFwAKBzfI4ZRigEPa4monRDeCnyOe64qhb+koC/AA
+MNulG4ECgYEA5zIAmtGivoC92ffuQd+uk0mXNYSnKQFIYbs7L/GO8xLX1lzZQeA3
+tRRUM6s3aAmoB1q69x60HFulL/WmMvx+uKGrRIIimXTvRunxt2QFHAcnkAR3C4Vt
+habUbilP9qbj6wWU6GCyopkPC2OQmQgy9bE6f/6E6ArlYafatPMzQAkCgYEA5SEL
+oVbUXfyD9M7dm0q9R4GvzKIyg1l+afdXCCS4VoEhg+Sq94wBDjpezctt/8WhICau
+uoZzTZ9Y1SEsQ9JMQ0XCurV6C9eIR+mNrq4Ik7oqVMe7IbOoaYwuOpY8cJQXRNfR
+6EGthY2wZtzE7a4OyuinWUkfyzQcnwV6nb/6oX0CgYA5bIwF6Ef59VQyjYhaSEq+
+PqsWGerDHpRx4eVjlSYibe26SrmTyTNNAM2hP8e1SaC4ouqJctDdsk2nSeaMB3ca
+ON2nWINrhkXgYT8ug+NZANXsyY8gB3YamkNtUUmRRAacW3iO92WnSUkZVROXTxgJ
+OooDPJ6aXAp5ZQ3HoBh8sQKBgFXT5AxifxhZr4AzQRWbkH1JmfWYSD2ld1HwQZye
+TKKyqkBClrw1qGuQ99Q0wJaPjASEGO1r0aMg7mCflXouOzzz07ampfnrmXP+i4EE
+VdgoYxTw4CsGpi4rQWHWxvsQrgquoUVT3NDrO0m8ptO1YHsnXRB38L3oXlQ+9ChF
+MnftAoGAOVoCOlqqnkUY/u7U3tWu2W5WUnqdsopBxXHhygFKoJS9IcKx5gYoxTTj
+XJBGrKU/PD7TIQevRvdIqZFI+PtinhSF1z3zFMoCoKhaNOnul+hNYMn/IwxJFv1Y
+XqDI8srXac4vcTsKV0OtPnirx3+pnRlrQupNRZLocZciygUY7PM=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index 6ba1be6b1..0e97d45bd 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -1,6 +1,5 @@
 moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
-moon:: cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
-moon:: cat /var/log/daemon.log::ocsp response verification failed::YES
+moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer certificate::YES
 moon:: cat /var/log/daemon.log::certificate status is not available::YES
 moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 102801a92..4e2acefeb 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 102801a92..4e2acefeb 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 102801a92..4e2acefeb 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index 69f9845af..bbbafd71b 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
-}
 
-libstrongswan {
   integrity_test = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 69f9845af..bbbafd71b 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
-}
 
-libstrongswan {
   integrity_test = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index 8caa11c97..66d8fb315 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-}
 
-libstrongswan {
   integrity_test = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index 6c8911e5a..3eda3aa58 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-}
 
-libstrongswan {
   integrity_test = yes
 }
 
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
index 535b37210..1a0f83687 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac gcm stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 
   plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
index 535b37210..1a0f83687 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac gcm stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 
   plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
index a436131bf..06d4dd917 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,5 +1,6 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
index 4272d98be..5e06976d1 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -1,6 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
+	charondebug="tls 2"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index 2eb2adc78..d397fe6f6 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
index b9a58e902..37fa2b435 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -1,6 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
+	charondebug="tls 2"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 2eb2adc78..ac6642e5b 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+
   multiple_authentication=no
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
index 283099acb..407427a0d 100644
--- a/testing/tests/ikev2/rw-mark-in-out/posttest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
@@ -6,7 +6,5 @@ alice::iptables-restore < /etc/iptables.flush
 venus::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
-sun::conntrack -F
 sun::rm /etc/mark_updown
 moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/libipsec/net2net-3des/description.txt b/testing/tests/libipsec/net2net-3des/description.txt
new file mode 100644
index 000000000..632162c31
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/description.txt
@@ -0,0 +1,9 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b> 
+plugin is used for userland IPsec ESP encryption. The negotiated encryption and authentication
+algorithms are <b>3DES</b> and <b>SHA-1</b>, respectively.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the
+<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat
new file mode 100644
index 000000000..f60fea6bf
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES
+sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES
+sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES
+sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES
+sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f1d328fe5
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=3des-sha1-modp1024!
+	esp=3des-sha1-modp1024!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftupdown=/etc/updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
new file mode 100755
index 000000000..1a68ada0e
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..3bd31c61f
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+        ike=3des-sha1-modp1024!
+        esp=3des-sha1-modp1024!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
new file mode 100755
index 000000000..1a68ada0e
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/net2net-3des/posttest.dat b/testing/tests/libipsec/net2net-3des/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/libipsec/net2net-3des/test.conf b/testing/tests/libipsec/net2net-3des/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
index 06bcaa1e5..69c6e3222 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -4,9 +4,7 @@ charon {
   load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
 
   initiator_only = yes
-}
 
-libstrongswan {
   plugins {
     openssl {
       fips_mode = 2
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
index 06bcaa1e5..69c6e3222 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -4,9 +4,7 @@ charon {
   load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
 
   initiator_only = yes
-}
 
-libstrongswan {
   plugins {
     openssl {
       fips_mode = 2
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
index efa0575e5..fa8dd94a4 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
-}
 
-libstrongswan {
   plugins {
     openssl {
       fips_mode = 2 
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index 628476313..490146249 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -3,9 +3,7 @@
 charon {
   load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
-}
 
-libstrongswan {
   x509 {
     enforce_critical = no
   }
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt
new file mode 100644
index 000000000..bd680b57a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
new file mode 100644
index 000000000..460c659d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..7601113ab
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.asc
+	leftid=@#71270432cd763a18020ac988c0e75aed
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightcert=sunCert.asc
+	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..afb1ff927
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..aea93d234
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
+}
+
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..641c3d929
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftcert=sunCert.asc
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=moonCert.asc
+	rightid=@#71270432cd763a18020ac988c0e75aed
+	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..ee98b1611
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..aea93d234
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
+}
+
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
new file mode 100644
index 000000000..9a9513dc3
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+sun::rm /etc/ipsec.d/certs/*
+sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
new file mode 100644
index 000000000..0f4ae0f4f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 9f31821cd..a952c8189 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 5708510ef..d9d650c8b 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     required = yes
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index f065861dc..065050d5b 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
index a2c02f630..7d32c11c3 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index 6072bb335..c55b0a9b6 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 5660f4376..af4737fbe 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,13 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
 
 libtls {
-  key_exchange = ecdhe-ecdsa
-  cipher = aes128
-  mac = sha256
+  suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 }
 
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
index 128d4f2d9..8a8e08e22 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
@@ -4,14 +4,13 @@ charon {
   load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
 
   initiator_only = yes
-}
-
-libstrongswan {
   integrity_test = yes
+
   crypto_test {
     required = yes
     on_add = yes
   }
+
   plugins {
     openssl {
       fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
index 958a502c2..c97a52088 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
@@ -7,14 +7,13 @@ charon {
   retransmit_base = 1.5
   retransmit_tries = 3 
   initiator_only = yes
-}
-
-libstrongswan {
   integrity_test = yes
+
   crypto_test {
     required = yes
     on_add = yes
   }
+
   plugins {
     openssl {
       fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
index fc49f9fd2..a234b6cca 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
@@ -2,14 +2,14 @@
 
 charon {
   load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
-}
 
-libstrongswan {
   integrity_test = yes
+
   crypto_test {
     required = yes
     on_add = yes
   }
+
   plugins {
     openssl {
       fips_mode = 2 
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
index 128d4f2d9..8a8e08e22 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
@@ -4,14 +4,13 @@ charon {
   load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
 
   initiator_only = yes
-}
-
-libstrongswan {
   integrity_test = yes
+
   crypto_test {
     required = yes
     on_add = yes
   }
+
   plugins {
     openssl {
       fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
index 958a502c2..c97a52088 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
@@ -7,14 +7,13 @@ charon {
   retransmit_base = 1.5
   retransmit_tries = 3 
   initiator_only = yes
-}
-
-libstrongswan {
   integrity_test = yes
+
   crypto_test {
     required = yes
     on_add = yes
   }
+
   plugins {
     openssl {
       fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
index fc49f9fd2..a234b6cca 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
@@ -2,14 +2,14 @@
 
 charon {
   load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
-}
 
-libstrongswan {
   integrity_test = yes
+
   crypto_test {
     required = yes
     on_add = yes
   }
+
   plugins {
     openssl {
       fips_mode = 2 
diff --git a/testing/tests/p2pnat/behind-same-nat/posttest.dat b/testing/tests/p2pnat/behind-same-nat/posttest.dat
index a1d5b4612..f02095725 100644
--- a/testing/tests/p2pnat/behind-same-nat/posttest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 venus::iptables-restore < /etc/iptables.flush
 moon::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
diff --git a/testing/tests/p2pnat/medsrv-psk/posttest.dat b/testing/tests/p2pnat/medsrv-psk/posttest.dat
index 4b696b90f..90a729237 100644
--- a/testing/tests/p2pnat/medsrv-psk/posttest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/posttest.dat
@@ -6,5 +6,3 @@ carol::iptables-restore < /etc/iptables.flush
 bob::iptables-restore < /etc/iptables.flush
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
-sun::conntrack -F
diff --git a/testing/tests/pfkey/nat-rw/posttest.dat b/testing/tests/pfkey/nat-rw/posttest.dat
index 4643a3a7b..bc7d23771 100644
--- a/testing/tests/pfkey/nat-rw/posttest.dat
+++ b/testing/tests/pfkey/nat-rw/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
 venus::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index 3da60b82f..8aa0ef4f5 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index 3da60b82f..8aa0ef4f5 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index 3da60b82f..8aa0ef4f5 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 7cd88f5da..101bd2e2b 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -7,9 +7,7 @@ charon {
     }
   }
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 7cd88f5da..101bd2e2b 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -7,9 +7,7 @@ charon {
     }
   }
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 7cd88f5da..101bd2e2b 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -7,9 +7,7 @@ charon {
     }
   }
   load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
-}
 
-libstrongswan {
   integrity_test = yes
   crypto_test {
     on_add = yes
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
index f7d86ec7f..97ff0c1ec 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
@@ -6,7 +6,7 @@ carol::cat /etc/tnc_config
 carol::echo 0 > /proc/sys/net/ipv4/ip_forward
 dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
 dave::cat /etc/tnc_config
-alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data.sql
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
 alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
 alice::ipsec start
 winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt
new file mode 100644
index 000000000..29976509a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt
@@ -0,0 +1,26 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
+to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
+measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
+measure a couple of individual files and the files in the <b>/bin</b> directory as
+well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
+<p>
+Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements,
+the mandatory default being <b>ecp256</b>, with the strongswan.conf option
+<b>mandatory_dh_groups = no</b> no ECC support is required.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
+enabled. Based on these assessments which are communicated to the IMCs using the
+<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
new file mode 100644
index 000000000..5eb944055
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d17473db1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..72bf2c7c9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+    imc-attestation {
+      mandatory_dh_groups = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..d459bfc6c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..6f71994ae
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,25 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+    imc-attestation {
+      mandatory_dh_groups = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..bc8b2d8f9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql
new file mode 100644
index 000000000..2bb7e7924
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql
@@ -0,0 +1,29 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 28, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e76598b9a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,34 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  plugins {
+    imv-attestation {
+      hash_algorithm = sha1
+      dh_group = modp2048
+      mandatory_dh_groups = no
+    }
+  }
+}
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..6507baaa1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"          /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
new file mode 100644
index 000000000..48514d6e0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
new file mode 100644
index 000000000..49ea0416e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
index e6f5ad365..f4ea047ec 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
@@ -2,20 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+  integrity_test = yes
+
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
     }
-  }
-}
-
-libstrongswan {
-  integrity_test = yes
-}
-
-libimcv {
-  plugins {
     imc-test {
       command = allow
     }
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
index db91eace4..4c738ce42 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
@@ -2,20 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
   multiple_authentication=no
+  integrity_test = yes
+
   plugins {
     eap-tnc {
       protocol = tnccs-2.0
     }
-  }
-}
-
-libstrongswan {
-  integrity_test = yes
-}
-
-libimcv {
-  plugins {
     imc-test {
       command = isolate
     }
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
index 3fc6c3a4b..0b1cf10eb 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
@@ -2,7 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
+
   multiple_authentication=no
+  integrity_test = yes
+
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,17 +17,3 @@ charon {
     }
   }
 }
-
-libstrongswan {
-  integrity_test = yes
-}
-
-libimcv {
-  plugins {
-    imv-scanner {
-      closed_port_policy = yes 
-      tcp_ports = 22 
-      udp_ports = 500 4500
-    }
-  }
-}